dcrat | 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Result.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Refcrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 7 IoCs

pid	Process
1168	SolaraBootstrapper.exe
4528	solara.exe
4956	Refcrt.exe
3048	sppsvc.exe
3192	vc_redist.x64.exe
1544	vc_redist.x64.exe
14080	sppsvc.exe

Loads dropped DLL 12 IoCs

pid	Process
5708	MsiExec.exe
5708	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
5784	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
5708	MsiExec.exe
1544	vc_redist.x64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\TextInputHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Windows\\LiveKernelReports\\Refcrt.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Windows\\LiveKernelReports\\Refcrt.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\backgroundTaskHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Vss\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\cmd.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\Offline\\backgroundTaskHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\lsass.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\Pictures\\Camera Roll\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\TextInputHost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Services\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\Services\\dllhost.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\System\\csrss.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\SppExtComObj.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Vss\\RuntimeBroker.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\cmd.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\SppExtComObj.exe\""	Refcrt.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	2796	msiexec.exe
24	2796	msiexec.exe
26	2796	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
32	ipinfo.io
33	ipinfo.io
116	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\glob\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\neq.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-adduser.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\opts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\restart.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npx.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\gyp	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\ours\util.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-bundled\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\readdir-scoped.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-dedupe.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inherits\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\removal.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\helpers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\signal-handling.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\protobuf\descriptor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\CONTRIBUTING.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\build\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-pack.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-node-modules.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\is.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-hook.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\typings\client\socksclient.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\nodevars.bat	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\ping.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_verification.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\render-template.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-prune.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-prefix.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-proxy-agent\dist\agent.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\place-dep.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\imurmurhash\imurmurhash.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\conversions.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\role.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\_stream_readable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\deduper.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\did-you-mean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\lib\tracker.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRMode.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-root.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\esm\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\fs-minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\LICENSE	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7040.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE321.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e785.msi	msiexec.exe
File created	C:\Windows\LiveKernelReports\a0b1fd4c5438e9	Refcrt.exe
File opened for modification	C:\Windows\Installer\MSIE95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB0.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE506.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF260.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\ServiceState\SEMgrSvc\spoolsv.exe	Refcrt.exe
File created	C:\Windows\LiveKernelReports\Refcrt.exe	Refcrt.exe
File opened for modification	C:\Windows\Installer\e57e781.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB22.tmp	msiexec.exe
File created	C:\Windows\Vss\RuntimeBroker.exe	Refcrt.exe
File opened for modification	C:\Windows\Installer\MSIF1E2.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Vss\9e8d7a4ca61bd9	Refcrt.exe
File created	C:\Windows\Installer\e57e781.msi	msiexec.exe
File created	C:\Windows\WinSxS\csrss.exe	Refcrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{31857B55-8F06-438C-8E19-16DF15DAE2E2}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	sppsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	solara.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
596	schtasks.exe
2548	schtasks.exe
4696	schtasks.exe
2436	schtasks.exe
1376	schtasks.exe
3608	schtasks.exe
4312	schtasks.exe
3096	schtasks.exe
4088	schtasks.exe
4760	schtasks.exe
1420	schtasks.exe
3304	schtasks.exe
3984	schtasks.exe
2832	schtasks.exe
3364	schtasks.exe
1632	schtasks.exe
2408	schtasks.exe
1328	schtasks.exe
208	schtasks.exe
1580	schtasks.exe
2116	schtasks.exe
1784	schtasks.exe
1880	schtasks.exe
2848	schtasks.exe
2176	schtasks.exe
440	schtasks.exe
3512	schtasks.exe
512	schtasks.exe
1184	schtasks.exe
3356	schtasks.exe
4092	schtasks.exe
948	schtasks.exe
1548	schtasks.exe
1948	schtasks.exe
4112	schtasks.exe
4816	schtasks.exe
4316	schtasks.exe
4764	schtasks.exe
2756	schtasks.exe
1544	schtasks.exe
2280	schtasks.exe
1020	schtasks.exe
4820	schtasks.exe
2036	schtasks.exe
796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	SolaraBootstrapper.exe
1168	SolaraBootstrapper.exe
4956	Refcrt.exe
4956	Refcrt.exe
4956	Refcrt.exe
4956	Refcrt.exe
3256	powershell.exe
3256	powershell.exe
3088	powershell.exe
3088	powershell.exe
3832	powershell.exe
3832	powershell.exe
4344	powershell.exe
4344	powershell.exe
3656	powershell.exe
3656	powershell.exe
2860	powershell.exe
2860	powershell.exe
1456	powershell.exe
3424	powershell.exe
3424	powershell.exe
3256	powershell.exe
1456	powershell.exe
4508	powershell.exe
4508	powershell.exe
4708	powershell.exe
4708	powershell.exe
4324	powershell.exe
4324	powershell.exe
3224	powershell.exe
3224	powershell.exe
540	powershell.exe
540	powershell.exe
4340	powershell.exe
4340	powershell.exe
100	powershell.exe
100	powershell.exe
540	powershell.exe
4340	powershell.exe
3048	sppsvc.exe
3048	sppsvc.exe
3088	powershell.exe
3656	powershell.exe
3832	powershell.exe
3832	powershell.exe
4344	powershell.exe
2860	powershell.exe
1456	powershell.exe
3424	powershell.exe
4508	powershell.exe
4708	powershell.exe
100	powershell.exe
4324	powershell.exe
3224	powershell.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
3048	sppsvc.exe
2796	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	sppsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4956	Refcrt.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3048	sppsvc.exe
Token: SeShutdownPrivilege	852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	852	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	852	msiexec.exe
Token: SeLockMemoryPrivilege	852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	852	msiexec.exe
Token: SeMachineAccountPrivilege	852	msiexec.exe
Token: SeTcbPrivilege	852	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeLoadDriverPrivilege	852	msiexec.exe
Token: SeSystemProfilePrivilege	852	msiexec.exe
Token: SeSystemtimePrivilege	852	msiexec.exe
Token: SeProfSingleProcessPrivilege	852	msiexec.exe
Token: SeIncBasePriorityPrivilege	852	msiexec.exe
Token: SeCreatePagefilePrivilege	852	msiexec.exe
Token: SeCreatePermanentPrivilege	852	msiexec.exe
Token: SeBackupPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeShutdownPrivilege	852	msiexec.exe
Token: SeDebugPrivilege	852	msiexec.exe
Token: SeAuditPrivilege	852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	852	msiexec.exe
Token: SeChangeNotifyPrivilege	852	msiexec.exe
Token: SeRemoteShutdownPrivilege	852	msiexec.exe
Token: SeUndockPrivilege	852	msiexec.exe
Token: SeSyncAgentPrivilege	852	msiexec.exe
Token: SeEnableDelegationPrivilege	852	msiexec.exe
Token: SeManageVolumePrivilege	852	msiexec.exe
Token: SeImpersonatePrivilege	852	msiexec.exe
Token: SeCreateGlobalPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
6140	chrome.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1168	1576	Result.exe	86
PID 1576 wrote to memory of 1168	1576	Result.exe	86
PID 1576 wrote to memory of 1168	1576	Result.exe	86
PID 1576 wrote to memory of 4528	1576	Result.exe	88
PID 1576 wrote to memory of 4528	1576	Result.exe	88
PID 1576 wrote to memory of 4528	1576	Result.exe	88
PID 4528 wrote to memory of 3412	4528	solara.exe	89
PID 4528 wrote to memory of 3412	4528	solara.exe	89
PID 4528 wrote to memory of 3412	4528	solara.exe	89
PID 3412 wrote to memory of 4544	3412	WScript.exe	90
PID 3412 wrote to memory of 4544	3412	WScript.exe	90
PID 3412 wrote to memory of 4544	3412	WScript.exe	90
PID 4544 wrote to memory of 4956	4544	cmd.exe	92
PID 4544 wrote to memory of 4956	4544	cmd.exe	92
PID 4956 wrote to memory of 3224	4956	Refcrt.exe	139
PID 4956 wrote to memory of 3224	4956	Refcrt.exe	139
PID 4956 wrote to memory of 4708	4956	Refcrt.exe	140
PID 4956 wrote to memory of 4708	4956	Refcrt.exe	140
PID 4956 wrote to memory of 540	4956	Refcrt.exe	141
PID 4956 wrote to memory of 540	4956	Refcrt.exe	141
PID 4956 wrote to memory of 4372	4956	Refcrt.exe	142
PID 4956 wrote to memory of 4372	4956	Refcrt.exe	142
PID 4956 wrote to memory of 4324	4956	Refcrt.exe	143
PID 4956 wrote to memory of 4324	4956	Refcrt.exe	143
PID 4956 wrote to memory of 4344	4956	Refcrt.exe	144
PID 4956 wrote to memory of 4344	4956	Refcrt.exe	144
PID 4956 wrote to memory of 4508	4956	Refcrt.exe	145
PID 4956 wrote to memory of 4508	4956	Refcrt.exe	145
PID 4956 wrote to memory of 4340	4956	Refcrt.exe	146
PID 4956 wrote to memory of 4340	4956	Refcrt.exe	146
PID 4956 wrote to memory of 2860	4956	Refcrt.exe	147
PID 4956 wrote to memory of 2860	4956	Refcrt.exe	147
PID 4956 wrote to memory of 3832	4956	Refcrt.exe	148
PID 4956 wrote to memory of 3832	4956	Refcrt.exe	148
PID 4956 wrote to memory of 3656	4956	Refcrt.exe	149
PID 4956 wrote to memory of 3656	4956	Refcrt.exe	149
PID 4956 wrote to memory of 1456	4956	Refcrt.exe	150
PID 4956 wrote to memory of 1456	4956	Refcrt.exe	150
PID 4956 wrote to memory of 3088	4956	Refcrt.exe	151
PID 4956 wrote to memory of 3088	4956	Refcrt.exe	151
PID 4956 wrote to memory of 100	4956	Refcrt.exe	152
PID 4956 wrote to memory of 100	4956	Refcrt.exe	152
PID 4956 wrote to memory of 3424	4956	Refcrt.exe	153
PID 4956 wrote to memory of 3424	4956	Refcrt.exe	153
PID 4956 wrote to memory of 3256	4956	Refcrt.exe	154
PID 4956 wrote to memory of 3256	4956	Refcrt.exe	154
PID 4956 wrote to memory of 3048	4956	Refcrt.exe	171
PID 4956 wrote to memory of 3048	4956	Refcrt.exe	171
PID 1168 wrote to memory of 852	1168	SolaraBootstrapper.exe	172
PID 1168 wrote to memory of 852	1168	SolaraBootstrapper.exe	172
PID 1168 wrote to memory of 852	1168	SolaraBootstrapper.exe	172
PID 2796 wrote to memory of 5708	2796	msiexec.exe	175
PID 2796 wrote to memory of 5708	2796	msiexec.exe	175
PID 2796 wrote to memory of 5784	2796	msiexec.exe	176
PID 2796 wrote to memory of 5784	2796	msiexec.exe	176
PID 2796 wrote to memory of 5784	2796	msiexec.exe	176
PID 6140 wrote to memory of 5244	6140	chrome.exe	180
PID 6140 wrote to memory of 5244	6140	chrome.exe	180
PID 6140 wrote to memory of 2548	6140	chrome.exe	181
PID 6140 wrote to memory of 2548	6140	chrome.exe	181
PID 6140 wrote to memory of 2548	6140	chrome.exe	181
PID 6140 wrote to memory of 2548	6140	chrome.exe	181
PID 6140 wrote to memory of 2548	6140	chrome.exe	181
PID 6140 wrote to memory of 2548	6140	chrome.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\msiexec.exe
    "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart
    3⤵
    - Executes dropped EXE
    PID:3192
  - - C:\Windows\Temp\{AAD79DE8-26AF-47AD-B98E-E067E98A9BFC}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{AAD79DE8-26AF-47AD-B98E-E067E98A9BFC}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1544
- C:\Users\Admin\AppData\Local\Temp\solara.exe
  "C:\Users\Admin\AppData\Local\Temp\solara.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
        
        "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Refcrt.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\Camera Roll\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\Refcrt.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\backgroundTaskHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
      - C:\Users\Default User\sppsvc.exe
        
        "C:\Users\Default User\sppsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5744
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5372
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:4132
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:2716
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5336
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:4620
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5756
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:716
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5064
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:2388
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:4100
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5300
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5520
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:1548
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:2184
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:4368
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5724
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:3728
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:3664
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5380
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5836
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:2912
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:1300
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:464
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:4756
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5996
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:872
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5820
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6132
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:5788
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6160
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6216
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6296
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6368
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6440
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6492
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6564
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6704
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6748
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6840
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6880
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6928
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6984
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7048
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7136
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6316
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6604
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7196
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7276
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7388
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:7892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7452
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7516
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7680
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7716
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7764
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7840
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7872
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7972
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8028
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8096
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8172
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6512
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7540
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8208
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8300
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8364
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8408
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8480
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:8960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8588
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8692
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8784
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8844
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8892
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:8980
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9060
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:9896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9136
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:3524
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9024
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9656
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9700
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9788
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9884
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:9968
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10040
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10124
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10220
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10264
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10360
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10460
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10528
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10588
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:10076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10632
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10684
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10748
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10800
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10840
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10924
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10984
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11096
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11192
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11228
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6108
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:10652
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11124
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:3416
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:7340
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:6076
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11296
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11368
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11472
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:11976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11576
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11640
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11724
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11800
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11868
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11984
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12032
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12116
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12212
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:11016
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12052
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12316
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12408
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12488
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12560
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12608
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12716
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12848
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:12900
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13028
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:12944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13100
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13144
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13200
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13188
        
        C:\Windows\system32\notepad.exe
        
        notepad.exe
        8⤵
        
        PID:13712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat" "
        7⤵
        
        PID:13572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BkTaWGfMnd.bat"
        7⤵
        
        PID:13796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:13872
        
        C:\Users\Default User\sppsvc.exe
        
        "C:\Users\Default User\sppsvc.exe"
        8⤵
        Executes dropped EXE
        
        PID:14080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\Camera Roll\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Camera Roll\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\Refcrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Refcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\Refcrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Offline\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8D715348D1F514382D391B9DADBEDDEB
  2⤵
  - Loads dropped DLL
  PID:5708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 405700FC9208ADC26E47BFC4C26B779D
  2⤵
  - Loads dropped DLL
  PID:5784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A179D5F2D83C7D9F0B48A399E5D2812A E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4892
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    PID:2548
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaecc3cc40,0x7ffaecc3cc4c,0x7ffaecc3cc58
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:5200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,1062568391366015814,11947684738492929904,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaecc3cc40,0x7ffaecc3cc4c,0x7ffaecc3cc58
  2⤵
  PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae66c46f8,0x7ffae66c4708,0x7ffae66c4718
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17020031058515104034,10084298190721567930,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5960

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:4388

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:12424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery