quasar | f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-04-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
Size

1.1MB
MD5

7a573e252438c649424b65ea23fece59
SHA1

e045ff31b02629170f6dd025a21b674796f056ca
SHA256

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9
SHA512

c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Score

10^/10

quasar venomrat office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

dopeillusions.hopto.org:1604

Mutex

VNM_MUTEX_YRuhcILkPkG4OKlC9H

Attributes

encryption_key
3wCBrbJytB9zaYeo3PZe
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1136-79-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1136-80-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1136-83-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1136-84-0x0000000000486BCE-mapping.dmp	disable_win_def
behavioral1/memory/1136-87-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1136-89-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/1124-165-0x0000000000080000-0x000000000010C000-memory.dmp	disable_win_def
behavioral1/memory/1124-161-0x0000000000080000-0x000000000010C000-memory.dmp	disable_win_def
behavioral1/memory/1124-168-0x0000000000080000-0x000000000010C000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\svchost.exe,"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1136-79-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1136-80-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1136-83-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1136-84-0x0000000000486BCE-mapping.dmp	family_quasar
behavioral1/memory/1136-87-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1136-89-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/1124-165-0x0000000000080000-0x000000000010C000-memory.dmp	family_quasar
behavioral1/memory/1124-161-0x0000000000080000-0x000000000010C000-memory.dmp	family_quasar
behavioral1/memory/1124-168-0x0000000000080000-0x000000000010C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 9 IoCs

Processes:

svchost.exesvchost.exeClient.exesvchost.exeClient.exesvchost.exeClient.exesvchost.exeClient.exe

pid	Process
1100	svchost.exe
1136	svchost.exe
1276	Client.exe
1124	svchost.exe
2064	Client.exe
2224	svchost.exe
616	Client.exe
2192	svchost.exe
2568	Client.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	Process
1712	cmd.exe
1136	svchost.exe
1124	svchost.exe
2224	svchost.exe
2192	svchost.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Local\\svchost.exe\""	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Drops file in System32 directory 12 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Client.exe	svchost.exe
File created	C:\Windows\SysWOW64\SubDir\r77-x64.dll	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

svchost.exe

description	pid	Process	procid_target
PID 1100 set thread context of 1136	1100	svchost.exe	41
PID 1100 set thread context of 1124	1100	svchost.exe	144
PID 1100 set thread context of 2224	1100	svchost.exe	232
PID 1100 set thread context of 2192	1100	svchost.exe	323

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1772	schtasks.exe
1776	schtasks.exe
2484	schtasks.exe
2700	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchost.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid	Process
1736	PING.EXE
2324	PING.EXE
2248	PING.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

svchost.exesvchost.exeClient.exepowershell.exesvchost.exepowershell.exeClient.exesvchost.exepowershell.exeClient.exesvchost.exepowershell.exeClient.exesvchost.exe

pid	Process
1576	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1276	Client.exe
1512	powershell.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
1100	svchost.exe
1100	svchost.exe
2080	powershell.exe
2064	Client.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1100	svchost.exe
1100	svchost.exe
1708	powershell.exe
616	Client.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
2224	svchost.exe
1100	svchost.exe
1100	svchost.exe
2624	powershell.exe
2568	Client.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe
2192	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid	Process
1100	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe

pid	Process
2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exesvchost.exesvchost.exesvchost.exeClient.exepowershell.exesvchost.exepowershell.exeClient.exesvchost.exepowershell.exeClient.exesvchost.exepowershell.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
Token: SeDebugPrivilege	1576	svchost.exe
Token: SeDebugPrivilege	1100	svchost.exe
Token: SeDebugPrivilege	1136	svchost.exe
Token: SeDebugPrivilege	1276	Client.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1124	svchost.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2064	Client.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	616	Client.exe
Token: SeDebugPrivilege	2192	svchost.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2568	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.execmd.exesvchost.execmd.exesvchost.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2036 wrote to memory of 908	2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	28
PID 2036 wrote to memory of 908	2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	28
PID 2036 wrote to memory of 908	2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	28
PID 2036 wrote to memory of 908	2036	f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe	28
PID 908 wrote to memory of 1576	908	cmd.exe	30
PID 908 wrote to memory of 1576	908	cmd.exe	30
PID 908 wrote to memory of 1576	908	cmd.exe	30
PID 908 wrote to memory of 1576	908	cmd.exe	30
PID 1576 wrote to memory of 968	1576	svchost.exe	32
PID 1576 wrote to memory of 968	1576	svchost.exe	32
PID 1576 wrote to memory of 968	1576	svchost.exe	32
PID 1576 wrote to memory of 968	1576	svchost.exe	32
PID 1576 wrote to memory of 1712	1576	svchost.exe	34
PID 1576 wrote to memory of 1712	1576	svchost.exe	34
PID 1576 wrote to memory of 1712	1576	svchost.exe	34
PID 1576 wrote to memory of 1712	1576	svchost.exe	34
PID 1712 wrote to memory of 1100	1712	cmd.exe	36
PID 1712 wrote to memory of 1100	1712	cmd.exe	36
PID 1712 wrote to memory of 1100	1712	cmd.exe	36
PID 1712 wrote to memory of 1100	1712	cmd.exe	36
PID 1100 wrote to memory of 1908	1100	svchost.exe	37
PID 1100 wrote to memory of 1908	1100	svchost.exe	37
PID 1100 wrote to memory of 1908	1100	svchost.exe	37
PID 1100 wrote to memory of 1908	1100	svchost.exe	37
PID 1908 wrote to memory of 1932	1908	cmd.exe	39
PID 1908 wrote to memory of 1932	1908	cmd.exe	39
PID 1908 wrote to memory of 1932	1908	cmd.exe	39
PID 1908 wrote to memory of 1932	1908	cmd.exe	39
PID 1100 wrote to memory of 1564	1100	svchost.exe	40
PID 1100 wrote to memory of 1564	1100	svchost.exe	40
PID 1100 wrote to memory of 1564	1100	svchost.exe	40
PID 1100 wrote to memory of 1564	1100	svchost.exe	40
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1564 wrote to memory of 1612	1564	cmd.exe	43
PID 1564 wrote to memory of 1612	1564	cmd.exe	43
PID 1564 wrote to memory of 1612	1564	cmd.exe	43
PID 1564 wrote to memory of 1612	1564	cmd.exe	43
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1136	1100	svchost.exe	41
PID 1100 wrote to memory of 1544	1100	svchost.exe	44
PID 1100 wrote to memory of 1544	1100	svchost.exe	44
PID 1100 wrote to memory of 1544	1100	svchost.exe	44
PID 1100 wrote to memory of 1544	1100	svchost.exe	44
PID 1544 wrote to memory of 1700	1544	cmd.exe	46
PID 1544 wrote to memory of 1700	1544	cmd.exe	46
PID 1544 wrote to memory of 1700	1544	cmd.exe	46
PID 1544 wrote to memory of 1700	1544	cmd.exe	46
PID 1100 wrote to memory of 856	1100	svchost.exe	47
PID 1100 wrote to memory of 856	1100	svchost.exe	47
PID 1100 wrote to memory of 856	1100	svchost.exe	47
PID 1100 wrote to memory of 856	1100	svchost.exe	47
PID 856 wrote to memory of 1836	856	cmd.exe	49
PID 856 wrote to memory of 1836	856	cmd.exe	49
PID 856 wrote to memory of 1836	856	cmd.exe	49
PID 856 wrote to memory of 1836	856	cmd.exe	49
PID 1100 wrote to memory of 592	1100	svchost.exe	50
PID 1100 wrote to memory of 592	1100	svchost.exe	50
PID 1100 wrote to memory of 592	1100	svchost.exe	50

C:\Users\Admin\AppData\Local\Temp\f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe
"C:\Users\Admin\AppData\Local\Temp\f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1612
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1772
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0L3yHTkA0RPg.bat" "
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:960
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1144
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1120
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:456
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:472
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:456
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1776
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bWF6M6EQs4yT.bat" "
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:2324
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3008
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2168
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2484
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z1NL0LL7OryQ.bat" "
        7⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2052
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2100
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1120
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:592
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:984
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2728
      - C:\Users\Admin\AppData\Local\svchost.exe
        
        "C:\Users\Admin\AppData\Local\svchost.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\svchost.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2700
        
        C:\Windows\SysWOW64\SubDir\Client.exe
        
        "C:\Windows\SysWOW64\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        8⤵
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2524
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2052
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1712
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:3056
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:2044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        Modifies WinLogon for persistence
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        6⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\svchost.exe,"
        7⤵
        
        PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0L3yHTkA0RPg.bat

Filesize
199B

MD5
273a9f6fd31c614a255d4224c38e6880

SHA1
8befa685ebfddd7af7d040b4e1e48a11b7fc3799

SHA256
08208245fd6e4fbbfa2463b6e79357b4095b2b5e35db67768f2cb8ed17b76838

SHA512
ec64c3a60eaa2040a59f87369bb866168d879ed1781edf21ea9416c976659d21f034e56bcafb833bd1734fdb77411d63c3b12a95fc04f57b77e04f8272ca9941

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z1NL0LL7OryQ.bat

Filesize
199B

MD5
ddd2d5d3d21edaa3b23c7e2e25521576

SHA1
af0abb1c01da7efdcb6e38059d9ccb2f23f9351a

SHA256
cbbcb491c808e6a6db9a84661f73d049932418018db3f5529e352686ce0421a9

SHA512
861408e807867db489cbb90badb6a01acf3b36cc3f1f40c1ca44234ec08c90c3d2f15e32d8c0526d24dc4d38282e520fec25191e8d12016cb819c95ff433932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWF6M6EQs4yT.bat

Filesize
199B

MD5
8306c0e333a1ae6bd65f5e8e1dc01b9b

SHA1
599022c7b81d2f7fbab0216af066a2ee0a0f1494

SHA256
e4af3731dd35435be6e4e9d88533208e8c9bf7d466e702212a2d578a2ec75d2d

SHA512
c96daf4ec4a706df0e2e375739a6d63a6de8438d5af9541e24ead9407b1778ce1641aacc8d900ca7286274bfe65beda75ed93b6223cbe3f49c7a83ca39b25f79

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
355be3a79f0cdbc6bb6197b26487d7b5

SHA1
862906268f62a7fdd1eaa9209355ae3ed5415e8f

SHA256
fc1ad979245c854efeb73d60bd82312d0fc8d8b12c33cc99da582076ae494e24

SHA512
685092ec003ab42d05b29bbeb11f82e7db20465f419cdeea3a0852daae493edc9cf39b5f846f0587ee8b316d9bb0de724569b48ecd826abc3da3b192d4b372eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
355be3a79f0cdbc6bb6197b26487d7b5

SHA1
862906268f62a7fdd1eaa9209355ae3ed5415e8f

SHA256
fc1ad979245c854efeb73d60bd82312d0fc8d8b12c33cc99da582076ae494e24

SHA512
685092ec003ab42d05b29bbeb11f82e7db20465f419cdeea3a0852daae493edc9cf39b5f846f0587ee8b316d9bb0de724569b48ecd826abc3da3b192d4b372eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
355be3a79f0cdbc6bb6197b26487d7b5

SHA1
862906268f62a7fdd1eaa9209355ae3ed5415e8f

SHA256
fc1ad979245c854efeb73d60bd82312d0fc8d8b12c33cc99da582076ae494e24

SHA512
685092ec003ab42d05b29bbeb11f82e7db20465f419cdeea3a0852daae493edc9cf39b5f846f0587ee8b316d9bb0de724569b48ecd826abc3da3b192d4b372eb

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\svchost.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
\Windows\SysWOW64\SubDir\Client.exe

Filesize
1.1MB

MD5
7a573e252438c649424b65ea23fece59

SHA1
e045ff31b02629170f6dd025a21b674796f056ca

SHA256
f9a5cc1ca05c8bd98c407b513cebc621e69b226161c85779c5a4fe360a8025d9

SHA512
c2ead8930d51f7441e9baa15c493b0c8b9266b10b0330430a5ff7a205c5c0a44f85ab33d6a76583b107834b81796f15ce39b13243c1e7e68f8aee7cd584626de

Download Submit
memory/108-121-0x0000000000000000-mapping.dmp

Download
memory/456-146-0x0000000000000000-mapping.dmp

Download
memory/540-122-0x0000000000000000-mapping.dmp

Download
memory/540-147-0x0000000000000000-mapping.dmp

Download
memory/560-151-0x0000000000000000-mapping.dmp

Download
memory/592-93-0x0000000000000000-mapping.dmp

Download
memory/616-196-0x0000000000F80000-0x00000000010A6000-memory.dmp

Filesize
1.1MB

Download
memory/636-139-0x0000000000000000-mapping.dmp

Download
memory/688-111-0x0000000000000000-mapping.dmp

Download
memory/772-140-0x0000000000000000-mapping.dmp

Download
memory/836-131-0x0000000000000000-mapping.dmp

Download
memory/856-91-0x0000000000000000-mapping.dmp

Download
memory/868-94-0x0000000000000000-mapping.dmp

Download
memory/908-58-0x0000000000000000-mapping.dmp

Download
memory/960-110-0x0000000000000000-mapping.dmp

Download
memory/968-63-0x0000000000000000-mapping.dmp

Download
memory/1076-127-0x0000000000000000-mapping.dmp

Download
memory/1100-69-0x0000000000D70000-0x0000000000E96000-memory.dmp

Filesize
1.1MB

Download
memory/1100-73-0x0000000004300000-0x0000000004312000-memory.dmp

Filesize
72KB

Download
memory/1100-67-0x0000000000000000-mapping.dmp

Download
memory/1120-136-0x0000000000000000-mapping.dmp

Download
memory/1124-161-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1124-168-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1124-165-0x0000000000080000-0x000000000010C000-memory.dmp

Filesize
560KB

Download
memory/1136-79-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-76-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-89-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-84-0x0000000000486BCE-mapping.dmp

Download
memory/1136-87-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1144-120-0x0000000000000000-mapping.dmp

Download
memory/1172-112-0x0000000000000000-mapping.dmp

Download
memory/1184-117-0x0000000000000000-mapping.dmp

Download
memory/1196-132-0x0000000000000000-mapping.dmp

Download
memory/1220-128-0x0000000000000000-mapping.dmp

Download
memory/1276-106-0x0000000000510000-0x0000000000534000-memory.dmp

Filesize
144KB

Download
memory/1276-99-0x0000000000000000-mapping.dmp

Download
memory/1276-102-0x0000000001250000-0x0000000001376000-memory.dmp

Filesize
1.1MB

Download
memory/1300-97-0x0000000000000000-mapping.dmp

Download
memory/1380-141-0x0000000000000000-mapping.dmp

Download
memory/1428-109-0x0000000000000000-mapping.dmp

Download
memory/1480-96-0x0000000000000000-mapping.dmp

Download
memory/1484-142-0x0000000000000000-mapping.dmp

Download
memory/1484-148-0x0000000000000000-mapping.dmp

Download
memory/1492-119-0x0000000000000000-mapping.dmp

Download
memory/1512-113-0x000000006A660000-0x000000006AC0B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-103-0x0000000000000000-mapping.dmp

Download
memory/1512-114-0x0000000004BB0000-0x0000000004CC4000-memory.dmp

Filesize
1.1MB

Download
memory/1544-81-0x0000000000000000-mapping.dmp

Download
memory/1564-74-0x0000000000000000-mapping.dmp

Download
memory/1576-62-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1576-60-0x0000000000EF0000-0x0000000001016000-memory.dmp

Filesize
1.1MB

Download
memory/1576-59-0x0000000000000000-mapping.dmp

Download
memory/1580-143-0x0000000000000000-mapping.dmp

Download
memory/1580-118-0x0000000000000000-mapping.dmp

Download
memory/1608-129-0x0000000000000000-mapping.dmp

Download
memory/1612-75-0x0000000000000000-mapping.dmp

Download
memory/1612-125-0x0000000000000000-mapping.dmp

Download
memory/1616-130-0x0000000000000000-mapping.dmp

Download
memory/1636-137-0x0000000000000000-mapping.dmp

Download
memory/1640-134-0x0000000000000000-mapping.dmp

Download
memory/1640-149-0x0000000000000000-mapping.dmp

Download
memory/1644-126-0x0000000000000000-mapping.dmp

Download
memory/1652-115-0x0000000000000000-mapping.dmp

Download
memory/1692-105-0x0000000000000000-mapping.dmp

Download
memory/1700-82-0x0000000000000000-mapping.dmp

Download
memory/1704-133-0x0000000000000000-mapping.dmp

Download
memory/1704-124-0x0000000000000000-mapping.dmp

Download
memory/1704-116-0x0000000000000000-mapping.dmp

Download
memory/1708-202-0x000000006A380000-0x000000006A92B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-201-0x0000000004C40000-0x0000000004D44000-memory.dmp

Filesize
1.0MB

Download
memory/1712-150-0x0000000000000000-mapping.dmp

Download
memory/1712-64-0x0000000000000000-mapping.dmp

Download
memory/1756-135-0x0000000000000000-mapping.dmp

Download
memory/1772-95-0x0000000000000000-mapping.dmp

Download
memory/1836-92-0x0000000000000000-mapping.dmp

Download
memory/1840-138-0x0000000000000000-mapping.dmp

Download
memory/1840-145-0x0000000000000000-mapping.dmp

Download
memory/1908-71-0x0000000000000000-mapping.dmp

Download
memory/1932-123-0x0000000000000000-mapping.dmp

Download
memory/1932-72-0x0000000000000000-mapping.dmp

Download
memory/1964-144-0x0000000000000000-mapping.dmp

Download
memory/2000-107-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/2036-57-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/2036-54-0x0000000000EF0000-0x0000000001016000-memory.dmp

Filesize
1.1MB

Download
memory/2036-55-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2064-173-0x0000000001160000-0x0000000001286000-memory.dmp

Filesize
1.1MB

Download
memory/2080-178-0x0000000004C20000-0x0000000004D24000-memory.dmp

Filesize
1.0MB

Download
memory/2080-179-0x000000006A3B0000-0x000000006A95B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-219-0x0000000000A30000-0x0000000000B56000-memory.dmp

Filesize
1.1MB

Download
memory/2624-223-0x0000000004BB0000-0x0000000004CB4000-memory.dmp

Filesize
1.0MB

Download
memory/2624-224-0x000000006A3B0000-0x000000006A95B000-memory.dmp

Filesize
5.7MB

Download