agenttesla | 3f50821e75438309214415a60245529318ef95d4c86bde2e65cb65d5e92cb7da

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmysldrv.exe

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000002addf-3093.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002af6d-7827.dat	family_quasar
behavioral1/memory/8876-7832-0x00000000007E0000-0x0000000000B04000-memory.dmp	family_quasar

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

resource	yara_rule
behavioral1/memory/5144-3376-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/236-3378-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2628-3444-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 5524 created 5672	5524	http45.141.84.14Dropper.exe.exe	159
PID 5852 created 3312	5852	1348624104.exe	52
PID 5852 created 3312	5852	1348624104.exe	52
PID 5992 created 3312	5992	wupgrdsv.exe	52
PID 5992 created 3312	5992	wupgrdsv.exe	52

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Contacts a large (2467) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/5992-3594-0x00007FF629B20000-0x00007FF62A096000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4520	powershell.exe
3492	powershell.exe
8656	powershell.exe
5296	powershell.exe
1080	powershell.exe
6480	powershell.exe
5652	powershell.exe
6000	powershell.exe
5360	powershell.exe
1088	powershell.exe
5488	powershell.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	processhacker-2.39-setup.tmp

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/6472-4255-0x00000000050B0000-0x0000000005114000-memory.dmp	net_reactor
behavioral1/memory/6472-4254-0x0000000004AA0000-0x0000000004B06000-memory.dmp	net_reactor

Executes dropped EXE 64 IoCs

pid	Process
4600	processhacker-2.39-setup.exe
5176	processhacker-2.39-setup.tmp
724	ProcessHacker.exe
4656	ProcessHacker.exe
1972	http185.215.113.66pei.exe.exe
5928	http185.215.113.66newtpp.exe.exe
5968	sysmysldrv.exe
1968	74598348.exe
576	526729881.exe
1400	http198.46.174.13995wahost.exe.exe
5816	http198.46.174.13950regasm.exe.exe
5132	102622369.exe
6060	http192.3.176.13860sahost.exe.exe
5416	http192.3.176.13855sahost.exe.exe
1160	http198.46.174.13960regasm.exe.exe
1132	http107.172.31.1988sahost.exe.exe
5528	http192.3.176.13870sahost.exe.exe
5868	http192.3.176.13895sahost.exe.exe
3960	http45.15.9.44logon.exe.exe
464	http198.46.174.13995wahost.exe.exe
5904	http198.46.174.13995wahost.exe.exe
5696	http37.9.35.70latest.exe.exe
5108	irsetup.exe
4980	http198.46.174.13950regasm.exe.exe
5252	2096130574.exe
5144	http192.3.176.13860sahost.exe.exe
236	http192.3.176.13855sahost.exe.exe
5116	http192.3.176.13870sahost.exe.exe
3792	http192.3.176.13895sahost.exe.exe
1036	http192.3.176.13895sahost.exe.exe
2628	http198.46.174.13960regasm.exe.exe
5524	http45.141.84.14Dropper.exe.exe
4412	VBoxSVC.exe
5044	http45.141.84.14javaw.exe.exe
5852	1348624104.exe
3468	http112.213.98.38www.exe.exe
5992	wupgrdsv.exe
3496	http192.3.176.138105sahost.exe.exe
5812	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5412	http192.3.176.138106sahost.exe.exe
1068	http185.215.113.19incCbmefxrmnv.exe.exe
2460	http185.215.113.19inc3544436.exe.exe
6472	http185.215.113.19incsystems.exe.exe
7096	http185.215.113.19inc2.exe.exe
9044	http185.215.113.19incclsid.exe.exe
6784	http192.3.176.138105sahost.exe.exe
8720	http192.3.176.138106sahost.exe.exe
8876	http87.106.114.72rat.exe.exe
7660	windowsManager32.exe
8200	windowsManager32.exe
8580	http185.215.113.19incCbmefxrmnv.exe.exe
8152	windowsManager32.exe
6788	http87.106.114.72updater.exe.exe
8652	windowsManager32.exe
4508	windowsManager32.exe
7708	windowsManager32.exe
7492	windowsManager32.exe
8860	dlupef.exe
8848	windowsManager32.exe
8608	windowsManager32.exe
6532	windowsManager32.exe
7820	dlupef.exe
7256	windowsManager32.exe

Loads dropped DLL 64 IoCs

pid	Process
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
1132	http107.172.31.1988sahost.exe.exe
5108	irsetup.exe
4412	VBoxSVC.exe
4412	VBoxSVC.exe
4412	VBoxSVC.exe
4412	VBoxSVC.exe
4412	VBoxSVC.exe
4412	VBoxSVC.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
5280	http87.106.114.72installer.exe.exe
2460	http185.215.113.19inc3544436.exe.exe
7096	http185.215.113.19inc2.exe.exe
5280	http87.106.114.72installer.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
7824	http70.35.206.129setup.exe.exe
3004	InitWinIo.exe
13204	initdb.exe
11392	initdb.exe
12260	postgres.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002af4d-3332.dat	upx
behavioral1/memory/5108-3337-0x0000000000400000-0x00000000007CA000-memory.dmp	upx
behavioral1/memory/5108-3448-0x0000000000400000-0x00000000007CA000-memory.dmp	upx
behavioral1/memory/5108-3622-0x0000000000400000-0x00000000007CA000-memory.dmp	upx
behavioral1/files/0x000100000002af90-3655.dat	upx
behavioral1/memory/5108-3691-0x0000000000400000-0x00000000007CA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmysldrv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmysldrv.exe

Accesses Microsoft Outlook profiles 1 TTPs 27 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138105sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13860sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13960regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13895sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138106sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13995wahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13870sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13895sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138105sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138106sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13855sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13960regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13950regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13950regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13895sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138106sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138105sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13860sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13855sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13855sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13995wahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13995wahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13870sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13870sahost.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13960regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http198.46.174.13950regasm.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.13860sahost.exe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\""	processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\Process Hacker 2 = "\"C:\\Program Files\\Process Hacker 2\\ProcessHacker.exe\" -hide"	processhacker-2.39-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmysldrv.exe"	http185.215.113.66newtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\http185.215.113.19incsystems.exe = "C:\\Users\\Admin\\AppData\\Roaming\\http185.215.113.19incsystems.exe.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\VolumeInfo = "C:\\Users\\Admin\\AppData\\Roaming\\VolumeInfo.exe"	http185.215.113.19incCbmefxrmnv.exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\w:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\x:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\z:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\e:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\h:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\k:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\r:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\b:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\j:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\o:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\p:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\q:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\s:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\t:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\y:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\a:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\i:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\m:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\n:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\u:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\v:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\g:	http112.213.98.38www.exe.exe
File opened (read-only)	\??\l:	http112.213.98.38www.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6600	drive.google.com
6622	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
455	checkip.dyndns.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	http112.213.98.38www.exe.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MTUSBHIDSwipe.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WINIO.VXD	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\OPOSMSR.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\MTUSBHIDSwipe.ocx	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\testae49b310-614f-4795-afaa-a0a4c09050aa	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\Cash_Drawer_DLL.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\msxml3a.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\Schedocx.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\Cash_Drawer_DLL.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\inpout32.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\MSPOS_USB_2.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\Schedocx.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo32b.sys	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\SBE6_32.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WINIO.SYS	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\duzactx.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WINIO.SYS	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo32a.sys	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\msxml3a.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\SysWOW64\OPOSLineDisplay.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\OPOSCashDrawer.ocx	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WINIO.VXD	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo32a.sys	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\MSPOS_USB.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\Sb6Ent.OCX	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\OPOSScanner.ocx	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo32b.sys	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WINIO.DLL	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\InitWinIo.exe	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\MSPOS_USB.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\Sb6Ent.OCX	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\MTUSBHIDInsert.ocx	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\dzactx.dll	http70.35.206.129setup.exe.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	ProcessHacker.exe
File created	C:\Windows\SysWOW64\dzactx.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo32.sys	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo3.sys	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WINIO.DLL	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\duzactx.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo3.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\inpout32.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\InitWinIo.exe	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo32.sys	InitWinIo.exe
File opened for modification	C:\Windows\SysWOW64\OPOSLineDisplay.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo3.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\OPOSCashDrawer.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\OPOSScanner.ocx	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\MTUSBHIDInsert.ocx	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo3.sys	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo32.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\WinIo32.sys	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\aminah.ini	http107.172.31.1988sahost.exe.exe
File created	C:\Windows\SysWOW64\MSPOS_USB_2.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\WinIo32.dll	http70.35.206.129setup.exe.exe
File opened for modification	C:\Windows\SysWOW64\SBE6_32.dll	http70.35.206.129setup.exe.exe
File created	C:\Windows\SysWOW64\OPOSMSR.ocx	http70.35.206.129setup.exe.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1392	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1132	http107.172.31.1988sahost.exe.exe
1392	wab.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 5904	1400	http198.46.174.13995wahost.exe.exe	190
PID 5816 set thread context of 4980	5816	http198.46.174.13950regasm.exe.exe	193
PID 6060 set thread context of 5144	6060	http192.3.176.13860sahost.exe.exe	203
PID 5416 set thread context of 236	5416	http192.3.176.13855sahost.exe.exe	204
PID 5528 set thread context of 5116	5528	http192.3.176.13870sahost.exe.exe	216
PID 1132 set thread context of 1392	1132	http107.172.31.1988sahost.exe.exe	218
PID 1160 set thread context of 2628	1160	http198.46.174.13960regasm.exe.exe	220
PID 5868 set thread context of 3792	5868	http192.3.176.13895sahost.exe.exe	221
PID 4412 set thread context of 5196	4412	VBoxSVC.exe	228
PID 5044 set thread context of 2204	5044	http45.141.84.14javaw.exe.exe	236
PID 2460 set thread context of 4776	2460	http185.215.113.19inc3544436.exe.exe	271
PID 7096 set thread context of 5424	7096	http185.215.113.19inc2.exe.exe	280
PID 3496 set thread context of 6784	3496	http192.3.176.138105sahost.exe.exe	290
PID 5412 set thread context of 8720	5412	http192.3.176.138106sahost.exe.exe	295
PID 1068 set thread context of 8580	1068	http185.215.113.19incCbmefxrmnv.exe.exe	317
PID 8860 set thread context of 7820	8860	dlupef.exe	382
PID 6912 set thread context of 7944	6912	dlupef.exe	433
PID 6956 set thread context of 5280	6956	dlupef.exe	470
PID 8480 set thread context of 5180	8480	dlupef.exe	514
PID 10884 set thread context of 11672	10884	dlupef.exe	638
PID 12960 set thread context of 14640	12960	dlupef.exe	676
PID 15788 set thread context of 16656	15788	dlupef.exe	719
PID 18412 set thread context of 15992	18412	dlupef.exe	769
PID 18412 set thread context of 17600	18412	dlupef.exe	770
PID 18572 set thread context of 21048	18572	dlupef.exe	815
PID 23276 set thread context of 25508	23276	dlupef.exe	857
PID 23868 set thread context of 26036	23868	dlupef.exe	901
PID 27512 set thread context of 24620	27512	dlupef.exe	945
PID 29340 set thread context of 30928	29340	dlupef.exe	985
PID 32344 set thread context of 33960	32344	dlupef.exe	1040
PID 35540 set thread context of 36588	35540	dlupef.exe	1086
PID 35540 set thread context of 34792	35540	dlupef.exe	1087
PID 28560 set thread context of 38324	28560	dlupef.exe	1132

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-S2UU6.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\favicon.ico	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-9PD84.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-4B84B.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KTPAA.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\KUTO VPN\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\wv.exe	irsetup.exe
File created	C:\Program Files\Process Hacker 2\plugins\is-M3JD8.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-I0ODV.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-FE3DU.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\lua5.1.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\kutoproxy.exe	irsetup.exe
File created	C:\Program Files (x86)\KUTO VPN\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-2ACN4.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\Uninstall\uniB554.tmp	irsetup.exe
File created	C:\Program Files (x86)\KUTO VPN\wv.exe	irsetup.exe
File created	C:\Program Files\Process Hacker 2\is-P9NO2.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-P62DI.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\nonresidentiary\pachisis.ini	http107.172.31.1988sahost.exe.exe
File created	C:\Program Files (x86)\KUTO VPN\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-LMA6E.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-LTI2P.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\Common Files\forebyggelsen.Ove10	http107.172.31.1988sahost.exe.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-NLFHN.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\KUTO VPN\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-5DQL5.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-BHB8N.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files (x86)\KUTO VPN\Uninstall\uniB554.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-FSJAL.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-H2GOO.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-3PKCO.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\kutoproxy.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\WebView2Loader.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\KUTO VPN\favicon.ico	irsetup.exe
File created	C:\Program Files\Process Hacker 2\plugins\is-0L7AA.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\WebView2Loader.dll	irsetup.exe
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-R6H97.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files (x86)\KUTO VPN\uninstall.exe	irsetup.exe
File created	C:\Program Files\Process Hacker 2\is-CN6JP.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-JHBS6.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-B7I13.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-A2E7P.tmp	processhacker-2.39-setup.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Tasks\Test Task17.job	http185.215.113.19incCbmefxrmnv.exe.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\sysmysldrv.exe	http185.215.113.66newtpp.exe.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\sysmysldrv.exe	http185.215.113.66newtpp.exe.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6100	sc.exe
4620	sc.exe
5412	sc.exe
2444	sc.exe
3056	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000002af5f-3726.dat	pyinstaller
behavioral1/files/0x000100000002af6c-8102.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	NETSH.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
7784	5424	WerFault.exe	280
7892	9044	WerFault.exe	278

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http198.46.174.13950regasm.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.19inc2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http192.3.176.13870sahost.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmysldrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http192.3.176.138105sahost.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InitWinIo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http198.46.174.13960regasm.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.19inc3544436.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.19incCbmefxrmnv.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	102622369.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http107.172.31.1988sahost.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2096130574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http192.3.176.138106sahost.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http198.46.174.13995wahost.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	postgres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http112.213.98.38www.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.19incclsid.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlupef.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
22400	PING.EXE
8360	PING.EXE
34648	PING.EXE
29196	PING.EXE
31248	PING.EXE
35248	PING.EXE
8600	PING.EXE
22636	PING.EXE
28708	PING.EXE
27948	PING.EXE
37892	PING.EXE
9092	PING.EXE
17188	PING.EXE
29292	PING.EXE
30928	PING.EXE
41264	PING.EXE
13740	PING.EXE
20396	PING.EXE
4584	PING.EXE
19324	PING.EXE
22792	PING.EXE
30228	PING.EXE
16860	PING.EXE
26104	PING.EXE
35168	PING.EXE
6576	PING.EXE
9112	PING.EXE
7660	PING.EXE
9512	PING.EXE
15568	PING.EXE
18480	PING.EXE
3720	PING.EXE
32664	PING.EXE
3076	PING.EXE
19564	PING.EXE
22484	PING.EXE
24572	PING.EXE
10304	PING.EXE
15972	PING.EXE
35720	PING.EXE
15232	PING.EXE
33380	PING.EXE
6932	PING.EXE
6576	PING.EXE
9704	PING.EXE
37668	PING.EXE
7200	PING.EXE
1096	PING.EXE
6252	PING.EXE
19696	PING.EXE
22292	PING.EXE
12564	PING.EXE
19432	PING.EXE
34164	PING.EXE
37704	PING.EXE
6972	PING.EXE
3672	PING.EXE
6412	PING.EXE
10260	PING.EXE
13764	PING.EXE
26528	PING.EXE
25580	PING.EXE
4508	PING.EXE
38816	PING.EXE

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	http45.141.84.14Dropper.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	http45.141.84.14Dropper.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	http70.35.206.129setup.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key created	\REGISTRY\MACHINE\Hardware\Description\System\BIOS\	http70.35.206.129setup.exe.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	http70.35.206.129setup.exe.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675417691199581"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D246A07-1B14-11D2-BEFA-00006E228339}\TypeLib\ = "{7D246A04-1B14-11D2-BEFA-00006E228339}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B20ABCF1-3855-11D3-8F7F-0000861EF01D}\TypeLib\ = "{B20ABC70-3855-11D3-8F7F-0000861EF01D}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dzactxctrlPPG1.dzactxctrlPPG1	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duzactxctrlPPG4.duzactxctrlPPG4.1\CLSID\ = "{205720E4-9D3A-11D1-87C0-444553540000}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Sb6ent.PPG1.6	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B20ABC7C-3855-11D3-8F7F-0000861EF01D}\TypeLib\ = "{B20ABC70-3855-11D3-8F7F-0000861EF01D}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABCF1-3855-11D3-8F7F-0000861EF01D}	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCB90181-B81E-11D2-AB74-0040054C3719}\TypeLib\Version = "1.0"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19BDA126-0D6E-41E9-9A5D-31E47071656B}	http70.35.206.129setup.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "12"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SCHEDOCX.SchedOCXCtrl.1\ = "ADDSoft Schedule/OCX Control Version 2"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B20ABC7F-3855-11d3-8F7F-0000861EF01D}\TypeLib\ = "{B20ABC70-3855-11d3-8F7F-0000861EF01D}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CCB90180-B81E-11D2-AB74-0040054C3719}\1.0\ = "OPOS Scanner Control 1.8.000 [Public, by CRM/RCS-Dayton]"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABC7A-3855-11D3-8F7F-0000861EF01D}\TypeLib	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FB90DCE-97D1-11D1-87C0-444553540000}\ProxyStubClsid32	http70.35.206.129setup.exe.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000030000000200000001000000ffffffff	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D246A06-1B14-11D2-BEFA-00006E228339}\ProxyStubClsid32	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D246A07-1B14-11D2-BEFA-00006E228339}\MiscStatus	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABC76-3855-11D3-8F7F-0000861EF01D}\TypeLib\Version = "1.0"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duzactxctrlPPG1.duzactxctrlPPG1\ = "duzactxctrlPPG1 Class"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABCF4-3855-11D3-8F7F-0000861EF01D}	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPOS.Scanner.1.8\CLSID\ = "{CCB90182-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB90181-B81E-11D2-AB74-0040054C3719}\ = "IOPOSScanner14"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07119BE3-876B-11D1-9400-00A0248F2EF0}\TypeLib\Version = "1.0"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABC72-3855-11D3-8F7F-0000861EF01D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABC7E-3855-11D3-8F7F-0000861EF01D}	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPOS.MSR.1.8\CLSID\ = "{CCB90122-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCB91121-B81E-11D2-AB74-0040054C3719}\TypeLib\Version = "1.0"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB90182-B81E-11D2-AB74-0040054C3719}\InprocServer32\ = "C:\\Windows\\SysWow64\\OposScanner.ocx"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB91181-B81E-11D2-AB74-0040054C3719}\TypeLib	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duzactxctrlPPG3.duzactxctrlPPG3\CurVer\ = "duzactxctrlPPG3.duzactxctrlPPG3.1"	http70.35.206.129setup.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D246A06-1B14-11D2-BEFA-00006E228339}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B20ABC7B-3855-11d3-8F7F-0000861EF01D}\InprocServer32	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19BDA126-0D6E-41E9-9A5D-31E47071656B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22571E97-956A-4CDD-AF8D-AE9C26597683}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABCF0-3855-11D3-8F7F-0000861EF01D}\ = "_IAutoFill"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB90042-B81E-11D2-AB74-0040054C3719}\Insertable	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30540D25-80C2-44B4-8B2D-563A40B06670}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B20ABC7A-3855-11D3-8F7F-0000861EF01D}\TypeLib	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB90043-B81E-11D2-AB74-0040054C3719}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duzactxctrl.duzactxctrl	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dzactxctrlPPG4.dzactxctrlPPG4	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E9D0E41-7AB8-11D1-9400-00A0248F2EF0}\1.0\HELPDIR	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB92101-B81E-11D2-AB74-0040054C3719}\TypeLib\ = "{CCB90100-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB91041-B81E-11D2-AB74-0040054C3719}\ = "IOPOSCashDrawer"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F85D797-E464-4205-80F5-AFB9072BFC76}\ = "USBHID"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D246A05-1B14-11D2-BEFA-00006E228339}	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB90102-B81E-11D2-AB74-0040054C3719}\BuildInformation	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CCB91101-B81E-11D2-AB74-0040054C3719}\TypeLib\ = "{CCB90100-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A3590D4-F8BD-44FC-AB33-9633D241DA85}\ProxyStubClsid32	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dzactxctrlPPG5.dzactxctrlPPG5.1	http70.35.206.129setup.exe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B20ABC77-3855-11D3-8F7F-0000861EF01D}\TypeLib\Version = "1.0"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB92101-B81E-11D2-AB74-0040054C3719}	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB90042-B81E-11D2-AB74-0040054C3719}\TypeLib\ = "{CCB90040-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCB90043-B81E-11D2-AB74-0040054C3719}\TypeLib\ = "{CCB90040-B81E-11D2-AB74-0040054C3719}"	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A3590D4-F8BD-44FC-AB33-9633D241DA85}	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0FB90DC1-97D1-11D1-87C0-444553540000}\1.0\HELPDIR	http70.35.206.129setup.exe.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ProcessHacker.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
6412	PING.EXE
33380	PING.EXE
3720	PING.EXE
9704	PING.EXE
40116	PING.EXE
30228	PING.EXE
10260	PING.EXE
11152	PING.EXE
15972	PING.EXE
17548	PING.EXE
32664	PING.EXE
6684	PING.EXE
9092	PING.EXE
17188	PING.EXE
4584	PING.EXE
8912	PING.EXE
31960	PING.EXE
38308	PING.EXE
26104	PING.EXE
34164	PING.EXE
19564	PING.EXE
30764	PING.EXE
13764	PING.EXE
1096	PING.EXE
24572	PING.EXE
13664	PING.EXE
8360	PING.EXE
7660	PING.EXE
19432	PING.EXE
35248	PING.EXE
18480	PING.EXE
28708	PING.EXE
7200	PING.EXE
6972	PING.EXE
4508	PING.EXE
9112	PING.EXE
25444	PING.EXE
8292	PING.EXE
3076	PING.EXE
13740	PING.EXE
12564	PING.EXE
17084	PING.EXE
29196	PING.EXE
8308	PING.EXE
10304	PING.EXE
37668	PING.EXE
13356	PING.EXE
30896	PING.EXE
37704	PING.EXE
14960	PING.EXE
31248	PING.EXE
3672	PING.EXE
28996	PING.EXE
29292	PING.EXE
27948	PING.EXE
22292	PING.EXE
22636	PING.EXE
30928	PING.EXE
6368	PING.EXE
18076	PING.EXE
20396	PING.EXE
22400	PING.EXE
7112	PING.EXE
37892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
16096	schtasks.exe
25820	schtasks.exe
36840	schtasks.exe
2444	schtasks.exe
736	schtasks.exe
14048	schtasks.exe
12660	schtasks.exe
32584	schtasks.exe
6932	schtasks.exe
6564	schtasks.exe
27380	schtasks.exe
20748	schtasks.exe
27240	schtasks.exe
30108	schtasks.exe
33964	schtasks.exe
7660	schtasks.exe
8520	schtasks.exe
8328	schtasks.exe
10720	schtasks.exe
30616	schtasks.exe
1088	schtasks.exe
5000	schtasks.exe
6776	schtasks.exe
26324	schtasks.exe
1492	schtasks.exe
24844	schtasks.exe
32008	schtasks.exe
8060	schtasks.exe
11916	schtasks.exe
16948	schtasks.exe
25260	schtasks.exe
34768	schtasks.exe
6816	schtasks.exe
10200	schtasks.exe
9156	schtasks.exe
5900	schtasks.exe
14748	schtasks.exe
17000	schtasks.exe
6296	schtasks.exe
5424	schtasks.exe
2240	schtasks.exe
2936	schtasks.exe
38648	schtasks.exe
11440	schtasks.exe
27836	schtasks.exe
29424	schtasks.exe
39884	schtasks.exe
4128	schtasks.exe
7640	schtasks.exe
10564	schtasks.exe
5708	schtasks.exe
1976	schtasks.exe
12892	schtasks.exe
7764	schtasks.exe
23460	schtasks.exe
33756	schtasks.exe
17168	schtasks.exe
15988	schtasks.exe
39776	schtasks.exe
1520	schtasks.exe
4124	schtasks.exe
13108	schtasks.exe
20116	schtasks.exe
6440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
2836	msedge.exe
2836	msedge.exe
1708	msedge.exe
1708	msedge.exe
32	identity_helper.exe
32	identity_helper.exe
5248	msedge.exe
5248	msedge.exe
1116	chrome.exe
1116	chrome.exe
1116	chrome.exe
1116	chrome.exe
5176	processhacker-2.39-setup.tmp
5176	processhacker-2.39-setup.tmp
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4656	ProcessHacker.exe
8008	msedge.exe
24288	msedge.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1132	http107.172.31.1988sahost.exe.exe
4412	VBoxSVC.exe
5044	http45.141.84.14javaw.exe.exe
2204	cmd.exe
5196	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
744	chrome.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe
Token: SeShutdownPrivilege	744	chrome.exe
Token: SeCreatePagefilePrivilege	744	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
744	chrome.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
1708	msedge.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe
4656	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5148	firefox.exe
5108	irsetup.exe
5108	irsetup.exe
5108	irsetup.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
3468	http112.213.98.38www.exe.exe
5876	javaw.exe
5876	javaw.exe
5876	javaw.exe
5876	javaw.exe
5876	javaw.exe
5876	javaw.exe
8008	msedge.exe
8008	msedge.exe
8008	msedge.exe
10316	msedge.exe
10316	msedge.exe
10316	msedge.exe
17628	msedge.exe
3468	http112.213.98.38www.exe.exe
10492	msedge.exe
10492	msedge.exe
10492	msedge.exe
24288	msedge.exe
24288	msedge.exe
24288	msedge.exe
24288	msedge.exe
24288	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1560	744	chrome.exe	89
PID 744 wrote to memory of 1560	744	chrome.exe	89
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3848	744	chrome.exe	90
PID 744 wrote to memory of 3720	744	chrome.exe	91
PID 744 wrote to memory of 3720	744	chrome.exe	91
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92
PID 744 wrote to memory of 3724	744	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138105sahost.exe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	http192.3.176.138105sahost.exe.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\bomb.exe.zip
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebbb6cc40,0x7ffebbb6cc4c,0x7ffebbb6cc58
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1840 /prefetch:2
    3⤵
    PID:3848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
    3⤵
    PID:3720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2404 /prefetch:8
    3⤵
    PID:3724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:4504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:1216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
    3⤵
    - Drops file in Windows directory
    PID:684
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff700734698,0x7ff7007346a4,0x7ff7007346b0
      4⤵
      Drops file in Windows directory
      PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5104,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4596,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4456 /prefetch:1
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3464,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4472 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3316,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4564 /prefetch:8
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3280,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5284 /prefetch:8
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5616,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5608 /prefetch:1
    3⤵
    PID:1756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6052,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:1048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4472,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:4944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5184,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5168 /prefetch:1
    3⤵
    PID:3884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3856,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    PID:1124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5348,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4512 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6228,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6160 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5956,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5896 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1180,i,17377764598306656324,7929651991797501788,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5168 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffed5f73cb8,0x7ffed5f73cc8,0x7ffed5f73cd8
    3⤵
    PID:2360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2024 /prefetch:2
    3⤵
    PID:1608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
    3⤵
    PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
    3⤵
    PID:5448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:5456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,1548571787093877208,1316932860808459634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:5688
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bed052a-c063-4cf0-b4e0-c80d95c084da} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" gpu
      4⤵
      PID:5516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3adeb6ef-2299-42bd-b235-d6a77c0c650f} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" socket
      4⤵
      Checks processor information in registry
      PID:5832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3520 -childID 1 -isForBrowser -prefsHandle 3560 -prefMapHandle 3552 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5756d343-e168-4cb5-b4a4-723715bd1b06} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:6116
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2736 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2bdbf1-9c15-4873-8fec-7080520aa5ca} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:5212
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4288 -prefMapHandle 4280 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {decc6453-6f0e-44f0-8596-8982cd897f2c} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" utility
      4⤵
      Checks processor information in registry
      PID:5416
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5256 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d94336d-3ea1-4ea3-a37d-1f6e14fd3a34} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:4544
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f12377f-0973-4026-a206-8d7111a9dd49} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:4864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5388 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d95fbd0-f282-4671-a58c-f4f7fdcdce20} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:5076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6284 -childID 6 -isForBrowser -prefsHandle 6328 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62129e83-3dcd-4737-905f-508ed8e97158} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:1948
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6456 -childID 7 -isForBrowser -prefsHandle 6552 -prefMapHandle 6448 -prefsLen 27182 -prefMapSize 244628 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e915513-ff21-4321-a5fe-e580f01fef4d} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" tab
      4⤵
      PID:1492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7036 -parentBuildID 20240401114208 -prefsHandle 2888 -prefMapHandle 6584 -prefsLen 29693 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16a8d1e7-2778-487d-a307-f07b270245a9} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" rdd
      4⤵
      PID:5780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3760 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6960 -prefMapHandle 6936 -prefsLen 29693 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa2c4908-01f7-4ebc-befd-8f6e0c5f501f} 5148 "\\.\pipe\gecko-crash-server-pipe.5148" utility
      4⤵
      Checks processor information in registry
      PID:5788
- C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
  "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\is-KR27J.tmp\processhacker-2.39-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KR27J.tmp\processhacker-2.39-setup.tmp" /SL5="$80212,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5176
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe" -installkph -s
      4⤵
      Executes dropped EXE
      PID:724
  - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
      "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SendNotifyMessage
      PID:4656
- C:\Users\Admin\Desktop\Malware\bomb.exe
  "C:\Users\Admin\Desktop\Malware\bomb.exe"
  2⤵
  PID:3928
- C:\Users\Admin\Desktop\Malware\bomb.exe
  "C:\Users\Admin\Desktop\Malware\bomb.exe"
  2⤵
  PID:5672
- - C:\Users\Admin\Desktop\Malware\http185.215.113.66pei.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.66pei.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\74598348.exe
      C:\Users\Admin\AppData\Local\Temp\74598348.exe
      4⤵
      Executes dropped EXE
      PID:1968
- - C:\Users\Admin\Desktop\Malware\http185.215.113.66newtpp.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.66newtpp.exe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:5928
  - - C:\Windows\sysmysldrv.exe
      C:\Windows\sysmysldrv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:5968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:5704
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6100
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4620
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:5412
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:2444
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\526729881.exe
        
        C:\Users\Admin\AppData\Local\Temp\526729881.exe
        5⤵
        Executes dropped EXE
        
        PID:576
    - - C:\Users\Admin\AppData\Local\Temp\102622369.exe
        
        C:\Users\Admin\AppData\Local\Temp\102622369.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\2096130574.exe
        
        C:\Users\Admin\AppData\Local\Temp\2096130574.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\1348624104.exe
        
        C:\Users\Admin\AppData\Local\Temp\1348624104.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:5852
- - C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1400
  - - C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe"
      4⤵
      Executes dropped EXE
      PID:464
  - - C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http198.46.174.13995wahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:5904
- - C:\Users\Admin\Desktop\Malware\http198.46.174.13950regasm.exe.exe
    "C:\Users\Admin\Desktop\Malware\http198.46.174.13950regasm.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5816
  - - C:\Users\Admin\Desktop\Malware\http198.46.174.13950regasm.exe.exe
      "C:\Users\Admin\Desktop\Malware\http198.46.174.13950regasm.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:4980
- - C:\Users\Admin\Desktop\Malware\http192.3.176.13860sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.13860sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GJLeLgqV.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5360
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJLeLgqV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC93.tmp"
      4⤵
      PID:1812
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.13860sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.13860sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:5144
- - C:\Users\Admin\Desktop\Malware\http192.3.176.13855sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.13855sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YTGPfoyKQaU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1088
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YTGPfoyKQaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD8D.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5000
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.13855sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.13855sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:236
- - C:\Users\Admin\Desktop\Malware\http198.46.174.13960regasm.exe.exe
    "C:\Users\Admin\Desktop\Malware\http198.46.174.13960regasm.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eVoVlc.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1080
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eVoVlc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2444
  - - C:\Users\Admin\Desktop\Malware\http198.46.174.13960regasm.exe.exe
      "C:\Users\Admin\Desktop\Malware\http198.46.174.13960regasm.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Users\Admin\Desktop\Malware\http107.172.31.1988sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http107.172.31.1988sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1132
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\Desktop\Malware\http107.172.31.1988sahost.exe.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1392
- - C:\Users\Admin\Desktop\Malware\http192.3.176.13870sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.13870sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YTGPfoyKQaU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5488
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YTGPfoyKQaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp378.tmp"
      4⤵
      PID:5048
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.13870sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.13870sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:5116
- - C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YTGPfoyKQaU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5296
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YTGPfoyKQaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5356
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe"
      4⤵
      Executes dropped EXE
      PID:1036
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.13895sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:3792
- - C:\Users\Admin\Desktop\Malware\http45.15.9.44logon.exe.exe
    "C:\Users\Admin\Desktop\Malware\http45.15.9.44logon.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:3960
- - C:\Users\Admin\Desktop\Malware\http37.9.35.70latest.exe.exe
    "C:\Users\Admin\Desktop\Malware\http37.9.35.70latest.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5696
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1917298 "__IRAFN:C:\Users\Admin\Desktop\Malware\http37.9.35.70latest.exe.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1735401866-3802634615-1355934272-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:5108
- - C:\Users\Admin\Desktop\Malware\http45.141.84.14Dropper.exe.exe
    "C:\Users\Admin\Desktop\Malware\http45.141.84.14Dropper.exe.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5524
- - C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe
    "C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:5196
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:9016
- - C:\Users\Admin\Desktop\Malware\http45.141.84.14javaw.exe.exe
    "C:\Users\Admin\Desktop\Malware\http45.141.84.14javaw.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      4⤵
      Suspicious behavior: MapViewOfSection
      PID:2204
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7032
- - C:\Users\Admin\Desktop\Malware\http112.213.98.38www.exe.exe
    "C:\Users\Admin\Desktop\Malware\http112.213.98.38www.exe.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3468
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe "http://localhost:80/"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3156
- - C:\Users\Admin\Desktop\Malware\http192.3.176.138105sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.138105sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZsqrQcXa.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:6480
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZsqrQcXa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B51.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:6932
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.138105sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.138105sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      outlook_office_path
      outlook_win_path
      PID:6784
- - C:\Users\Admin\Desktop\Malware\http87.106.114.72installer.exe.exe
    "C:\Users\Admin\Desktop\Malware\http87.106.114.72installer.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:5812
  - - C:\Users\Admin\Desktop\Malware\http87.106.114.72installer.exe.exe
      "C:\Users\Admin\Desktop\Malware\http87.106.114.72installer.exe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c forge.jar
        5⤵
        
        PID:8464
      - C:\Program Files\Java\jre-1.8\bin\javaw.exe
        
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\Malware\forge.jar"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5876
- - C:\Users\Admin\Desktop\Malware\http192.3.176.138106sahost.exe.exe
    "C:\Users\Admin\Desktop\Malware\http192.3.176.138106sahost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmHFrIXhafCkF.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5652
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmHFrIXhafCkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C5B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Users\Admin\Desktop\Malware\http192.3.176.138106sahost.exe.exe
      "C:\Users\Admin\Desktop\Malware\http192.3.176.138106sahost.exe.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      PID:8720
- - C:\Users\Admin\Desktop\Malware\http185.215.113.19incCbmefxrmnv.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.19incCbmefxrmnv.exe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:1068
  - - C:\Users\Admin\Desktop\Malware\http185.215.113.19incCbmefxrmnv.exe.exe
      "C:\Users\Admin\Desktop\Malware\http185.215.113.19incCbmefxrmnv.exe.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:8580
- - C:\Users\Admin\Desktop\Malware\http185.215.113.19inc3544436.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.19inc3544436.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4776
- - C:\Users\Admin\Desktop\Malware\http185.215.113.19incsystems.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.19incsystems.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:6472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'http185.215.113.19incsystems.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'http185.215.113.19incsystems.exe' -Value '"C:\Users\Admin\AppData\Roaming\http185.215.113.19incsystems.exe.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:8656
- - C:\Users\Admin\Desktop\Malware\http185.215.113.19inc2.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.19inc2.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7096
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:5424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 420
        5⤵
        Program crash
        
        PID:7784
- - C:\Users\Admin\Desktop\Malware\http185.215.113.19incclsid.exe.exe
    "C:\Users\Admin\Desktop\Malware\http185.215.113.19incclsid.exe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:9044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9044 -s 984
      4⤵
      Program crash
      PID:7892
- - C:\Users\Admin\Desktop\Malware\http87.106.114.72rat.exe.exe
    "C:\Users\Admin\Desktop\Malware\http87.106.114.72rat.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:8876
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6296
  - - C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
      "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
      4⤵
      Executes dropped EXE
      PID:7660
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        5⤵
        
        PID:1208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0HOvhJM0Lmis.bat" "
        5⤵
        
        PID:7444
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7980
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:8292
      - C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        6⤵
        Executes dropped EXE
        
        PID:8200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        7⤵
        
        PID:8848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2WlNMg3dRf9L.bat" "
        7⤵
        
        PID:7920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        8⤵
        Executes dropped EXE
        
        PID:8152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bpzik9Sr5afa.bat" "
        9⤵
        
        PID:7608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:6116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7200
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        10⤵
        Executes dropped EXE
        
        PID:8652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uvWm4vPoOe0Y.bat" "
        11⤵
        
        PID:7784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6932
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        12⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        13⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAAdMtocm7po.bat" "
        13⤵
        
        PID:6244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:6568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6576
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        14⤵
        Executes dropped EXE
        
        PID:7708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\slMjgZZRdD2n.bat" "
        15⤵
        
        PID:6420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:8176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6972
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        16⤵
        Executes dropped EXE
        
        PID:7492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HU98So7FWyxs.bat" "
        17⤵
        
        PID:7540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:8316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:8308
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        18⤵
        Executes dropped EXE
        
        PID:8848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YH2SEbSyd55d.bat" "
        19⤵
        
        PID:6092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        20⤵
        Executes dropped EXE
        
        PID:8608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVysVUflz5WV.bat" "
        21⤵
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:7584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        22⤵
        Executes dropped EXE
        
        PID:6532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        23⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L1WmGsd31yhg.bat" "
        23⤵
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4508
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        24⤵
        Executes dropped EXE
        
        PID:7256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tz3wbR4vtClg.bat" "
        25⤵
        
        PID:7456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:7568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        26⤵
        
        PID:6508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        27⤵
        
        PID:6244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kT3TRHUiJptQ.bat" "
        27⤵
        
        PID:9020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:6348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6576
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        28⤵
        
        PID:7952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        29⤵
        
        PID:6352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FH7fT3OKovPa.bat" "
        29⤵
        
        PID:6164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8360
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        30⤵
        
        PID:7924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKpDgXqN9OCR.bat" "
        31⤵
        
        PID:8588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:6528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3076
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        32⤵
        
        PID:8512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNWf738NiBat.bat" "
        33⤵
        
        PID:8404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:9064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        34⤵
        
        PID:8556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Fu0syujb9f3.bat" "
        35⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:8944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6252
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        36⤵
        
        PID:8816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7duNINqMTpbp.bat" "
        37⤵
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:6844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:6368
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        38⤵
        
        PID:7744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wBRT4AHVzhCd.bat" "
        39⤵
        
        PID:3452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:6352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        Runs ping.exe
        
        PID:8912
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        40⤵
        
        PID:1340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        41⤵
        
        PID:8012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAlQ1bHwM1Qb.bat" "
        41⤵
        
        PID:5500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:7828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6412
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        42⤵
        
        PID:8096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F5qpZ2iOu9r5.bat" "
        43⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:5800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        44⤵
        
        PID:1812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QzTQS94kX2Br.bat" "
        45⤵
        
        PID:7188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        46⤵
        
        PID:8744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKk7OSdmpTUa.bat" "
        47⤵
        
        PID:6320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:6404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        Runs ping.exe
        
        PID:6684
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        48⤵
        
        PID:7224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66KiDWFUE3nh.bat" "
        49⤵
        
        PID:8800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:8932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7660
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        50⤵
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        51⤵
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V2tmyYqJgffC.bat" "
        51⤵
        
        PID:6388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:5688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9112
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        52⤵
        
        PID:6896
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcwQVmVCD93T.bat" "
        53⤵
        
        PID:8652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        Runs ping.exe
        
        PID:7112
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        54⤵
        
        PID:8600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D4dFmFw4GDQ7.bat" "
        55⤵
        
        PID:5476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:8360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9092
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        56⤵
        
        PID:3360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QJ2M0QZR80ut.bat" "
        57⤵
        
        PID:6916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:6396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        58⤵
        
        PID:7232
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZE3ngx2DV5Qk.bat" "
        59⤵
        
        PID:7884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:6368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8600
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        60⤵
        
        PID:10072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1M8rlvy9oi7r.bat" "
        61⤵
        
        PID:9400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:9492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        
        PID:9520
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        62⤵
        
        PID:9388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        63⤵
        
        PID:9352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\07qfIfEACbfw.bat" "
        63⤵
        
        PID:9548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:9460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:9512
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        64⤵
        
        PID:11216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryarWcqDSbwF.bat" "
        65⤵
        
        PID:11108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:10532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10260
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        66⤵
        
        PID:11692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tcq8zfzf3c95.bat" "
        67⤵
        
        PID:13080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:13100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9704
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        68⤵
        
        PID:12056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0faW4IudmYpD.bat" "
        69⤵
        
        PID:10256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:11560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10304
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        70⤵
        
        PID:8988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZtTfA0G0Pk7K.bat" "
        71⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:12828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        Runs ping.exe
        
        PID:11152
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        72⤵
        
        PID:12560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        73⤵
        
        PID:10560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\da0dKO9CMgPz.bat" "
        73⤵
        
        PID:11004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:13076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:12564
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        74⤵
        
        PID:10368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:12892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6YQiD61DYRz7.bat" "
        75⤵
        
        PID:12876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:11400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        
        PID:10964
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        76⤵
        
        PID:15132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9K72UgSrfnA4.bat" "
        77⤵
        
        PID:14592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:14280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:13764
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        78⤵
        
        PID:14564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:14748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSOaedfSfWH2.bat" "
        79⤵
        
        PID:15080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:15192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:15232
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        80⤵
        
        PID:14912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        81⤵
        
        PID:8212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jBoEjdGD4Yv2.bat" "
        81⤵
        
        PID:13436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:15172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:13740
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        82⤵
        
        PID:13512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:13108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mT9JLJbVIZe3.bat" "
        83⤵
        
        PID:14364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:14760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        Runs ping.exe
        
        PID:14960
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        84⤵
        
        PID:8664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:14048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ID5im1Qyjf7j.bat" "
        85⤵
        
        PID:13408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:15276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        Runs ping.exe
        
        PID:13356
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        86⤵
        
        PID:15584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        87⤵
        
        PID:15724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWhIte9iuFKd.bat" "
        87⤵
        
        PID:15848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:15956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:15972
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        88⤵
        
        PID:17368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:17168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXuPq18ywvIc.bat" "
        89⤵
        
        PID:16864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:17020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        Runs ping.exe
        
        PID:17084
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        90⤵
        
        PID:17240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:16096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RG7KWGaviSLr.bat" "
        91⤵
        
        PID:16876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:16336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        
        PID:15952
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        92⤵
        
        PID:15824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:17000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11GK9hutX3p2.bat" "
        93⤵
        
        PID:15852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:16800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:17188
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        94⤵
        
        PID:17288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:15988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w9BzzkJBUcwi.bat" "
        95⤵
        
        PID:16704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:16516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:15568
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        96⤵
        
        PID:18196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        97⤵
        
        PID:18396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rX9HUnZ2MGY8.bat" "
        97⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:3096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        Runs ping.exe
        
        PID:17548
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        98⤵
        
        PID:16256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        99⤵
        
        PID:18376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcNqm3jDqgvi.bat" "
        99⤵
        
        PID:17944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:17964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        Runs ping.exe
        
        PID:18076
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        100⤵
        
        PID:18988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        101⤵
        
        PID:18768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4CDAlA20Jtcy.bat" "
        101⤵
        
        PID:18888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:19756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:18480
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        102⤵
        
        PID:18772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        103⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:20116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkLoPV0RdhBe.bat" "
        103⤵
        
        PID:19424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:19852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:19432
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        104⤵
        
        PID:20128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        105⤵
        
        PID:17468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\etKa11y6N4a3.bat" "
        105⤵
        
        PID:20172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:20424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:16860
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        106⤵
        
        PID:12900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:16948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESfcF4MVeGRJ.bat" "
        107⤵
        
        PID:17456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:19656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:19564
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        108⤵
        
        PID:20168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        109⤵
        
        PID:19664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaP8AAl9GSrr.bat" "
        109⤵
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:19976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:20396
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        110⤵
        
        PID:20592
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:20748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ma8mdcLIvMRF.bat" "
        111⤵
        
        PID:20900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:22008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22400
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        112⤵
        
        PID:21204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        113⤵
        
        PID:21180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSTBKId4EyQP.bat" "
        113⤵
        
        PID:22140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:22008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:22484
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        114⤵
        
        PID:22516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        115⤵
        
        PID:20544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWFSEZWSXx4x.bat" "
        115⤵
        
        PID:22360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:21564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22292
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        116⤵
        
        PID:20764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        117⤵
        
        PID:20716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8AQFHz4wCR3l.bat" "
        117⤵
        
        PID:21976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:22168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:19324
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        118⤵
        
        PID:22320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        119⤵
        
        PID:21308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37YRK0L69AVZ.bat" "
        119⤵
        
        PID:22548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:22620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22636
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        120⤵
        
        PID:23324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:23460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8w9DGV7pcqA.bat" "
        121⤵
        
        PID:22308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:22704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:22792
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        122⤵
        
        PID:24064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        123⤵
        
        PID:25428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMo6bPWIbII2.bat" "
        123⤵
        
        PID:23804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:24476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:24572
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        124⤵
        
        PID:24028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        125⤵
        
        PID:25344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4cJGc30NDSE7.bat" "
        125⤵
        
        PID:23372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:23880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        
        PID:23652
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        126⤵
        
        PID:24180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        127⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:25260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\71LJi9tSPi97.bat" "
        127⤵
        
        PID:25512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:24372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        Runs ping.exe
        
        PID:25444
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        128⤵
        
        PID:23940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        129⤵
        
        PID:24076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fD3vWOubFU1x.bat" "
        129⤵
        
        PID:25384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:25260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        
        PID:24784
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        130⤵
        
        PID:23992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        131⤵
        
        PID:25428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEI1DuapR9na.bat" "
        131⤵
        
        PID:25120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:24216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:19696
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        132⤵
        
        PID:22684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:24844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMzEqxgCmrfH.bat" "
        133⤵
        
        PID:25400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:12180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        Runs ping.exe
        
        PID:13664
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        134⤵
        
        PID:26256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        135⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:25820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\epD6tJ36np9b.bat" "
        135⤵
        
        PID:26616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:25936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:26528
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        136⤵
        
        PID:26340
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:26324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebTErZewMvT7.bat" "
        137⤵
        
        PID:23940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:19596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:26104
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        138⤵
        
        PID:20952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        139⤵
        
        PID:26484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hHtXmB6qBMDK.bat" "
        139⤵
        
        PID:20120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:16084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:25580
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        140⤵
        
        PID:27280
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:27380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5HFad9hyxsMy.bat" "
        141⤵
        
        PID:27532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:27572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        
        PID:27592
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        142⤵
        
        PID:27324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        143⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:27240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMzXEVGSGpCg.bat" "
        143⤵
        
        PID:27476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:20500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        
        PID:26828
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        144⤵
        
        PID:27692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:27836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B5y60k5TABpw.bat" "
        145⤵
        
        PID:27976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:28028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        
        PID:28052
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        146⤵
        
        PID:28200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        147⤵
        
        PID:27864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E7x9HtsOseYy.bat" "
        147⤵
        
        PID:29452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:27764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:28708
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        148⤵
        
        PID:29172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:29424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CbHcJCGuKBXF.bat" "
        149⤵
        
        PID:29652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:27844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        Runs ping.exe
        
        PID:28996
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        150⤵
        
        PID:5548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        151⤵
        
        PID:29588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4RcF6mp4Awb.bat" "
        151⤵
        
        PID:29556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:29208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:29196
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        152⤵
        
        PID:28196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        153⤵
        
        PID:24196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98jX2EAJ1wb9.bat" "
        153⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:23500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:29292
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        154⤵
        
        PID:29624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        155⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6nsTn5PYdjw.bat" "
        155⤵
        
        PID:28740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:28052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:27948
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        156⤵
        
        PID:31096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        157⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:30108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ar7cOpldjrwd.bat" "
        157⤵
        
        PID:30784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:30880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:30928
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        158⤵
        
        PID:30604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        159⤵
        
        PID:30216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Sdm9sLwpbWu.bat" "
        159⤵
        
        PID:29768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:30832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        Runs ping.exe
        
        PID:30896
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        160⤵
        
        PID:30052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:30616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Slu7C2ocFZul.bat" "
        161⤵
        
        PID:29864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:30372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        Runs ping.exe
        
        PID:30764
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        162⤵
        
        PID:30688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LZIlDOYBhibd.bat" "
        163⤵
        
        PID:30848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:30748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:30228
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        164⤵
        
        PID:29904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        165⤵
        
        PID:30680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOwqlLWqkgQ4.bat" "
        165⤵
        
        PID:30844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:29756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        
        PID:30644
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        166⤵
        
        PID:32444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        167⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:32008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w65UQe8iz05e.bat" "
        167⤵
        
        PID:32364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:31248
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        168⤵
        
        PID:33640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        169⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:33756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcdcOlzb4iGz.bat" "
        169⤵
        
        PID:33944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:34048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:34164
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        170⤵
        
        PID:33816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:33964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qR5F3EGH4vbp.bat" "
        171⤵
        
        PID:34548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:34524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:34648
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        172⤵
        
        PID:32820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        173⤵
        
        PID:33136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEjsgUPPzzvy.bat" "
        173⤵
        
        PID:34484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:28744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:33380
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        174⤵
        
        PID:32820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:34768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uhor1p57ctiL.bat" "
        175⤵
        
        PID:33296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:32080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        
        PID:30352
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        176⤵
        
        PID:35740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        177⤵
        
        PID:34928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2exxtdxwb87a.bat" "
        177⤵
        
        PID:35132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:35208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:35248
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        178⤵
        
        PID:30180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        179⤵
        
        PID:33396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9xX4cKNORCeu.bat" "
        179⤵
        
        PID:35200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:34920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        180⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32664
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        180⤵
        
        PID:36140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        181⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:36840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RHoB6ulaqqTz.bat" "
        181⤵
        
        PID:36244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        182⤵
        
        PID:36164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        182⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:35168
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        182⤵
        
        PID:37804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        183⤵
        
        PID:37364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HLg31goAQ4iw.bat" "
        183⤵
        
        PID:37604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        184⤵
        
        PID:37696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        184⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:37704
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        184⤵
        
        PID:37356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        185⤵
        
        PID:37872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LbfLE3rozI6c.bat" "
        185⤵
        
        PID:37420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        186⤵
        
        PID:37624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        186⤵
        Runs ping.exe
        
        PID:31960
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        186⤵
        
        PID:37624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        187⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Oefhtj5YxPF.bat" "
        187⤵
        
        PID:33708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        188⤵
        
        PID:36044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        188⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:35720
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        188⤵
        
        PID:33136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        189⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:32584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H5mehpfWghAV.bat" "
        189⤵
        
        PID:37260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        190⤵
        
        PID:37468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        190⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:37668
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        190⤵
        
        PID:32676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        191⤵
        
        PID:37432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v9IOWmyK9lUm.bat" "
        191⤵
        
        PID:38068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        192⤵
        
        PID:38120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        192⤵
        
        PID:38132
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        192⤵
        
        PID:39124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        193⤵
        
        PID:39480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iE6PQ2aZsbrc.bat" "
        193⤵
        
        PID:37904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        194⤵
        
        PID:38892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        194⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:37892
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        194⤵
        
        PID:39596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        195⤵
        
        PID:37920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z3nOK8QjO1lZ.bat" "
        195⤵
        
        PID:38152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        196⤵
        
        PID:39372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        196⤵
        
        PID:38560
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        196⤵
        
        PID:37940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        197⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:38648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DXRSigBbz28x.bat" "
        197⤵
        
        PID:39564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        198⤵
        
        PID:38132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        198⤵
        
        PID:39888
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        198⤵
        
        PID:33492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        199⤵
        
        PID:36080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\we1o6OTTGgHz.bat" "
        199⤵
        
        PID:38848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        200⤵
        
        PID:38348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        200⤵
        Runs ping.exe
        
        PID:38308
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        200⤵
        
        PID:38092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        201⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:39776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9wcpUD4ISCrQ.bat" "
        201⤵
        
        PID:40052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        202⤵
        
        PID:40100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        202⤵
        Runs ping.exe
        
        PID:40116
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        202⤵
        
        PID:40300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        203⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:39884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwLTDKRoofRc.bat" "
        203⤵
        
        PID:41096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        204⤵
        
        PID:41228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        204⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:41264
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        204⤵
        
        PID:39604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windowsman32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe" /rl HIGHEST /f
        205⤵
        
        PID:40728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYrTe4Yd48d3.bat" "
        205⤵
        
        PID:40588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        206⤵
        
        PID:35804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        206⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:38816
        
        C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe
        
        "C:\Users\Admin\AppData\Roaming\windows\windowsManager32.exe"
        206⤵
        
        PID:40492
- - C:\Users\Admin\Desktop\Malware\http87.106.114.72updater.exe.exe
    "C:\Users\Admin\Desktop\Malware\http87.106.114.72updater.exe.exe"
    3⤵
    - Executes dropped EXE
    PID:6788
- - C:\Users\Admin\Desktop\Malware\http70.35.206.129setup.exe.exe
    "C:\Users\Admin\Desktop\Malware\http70.35.206.129setup.exe.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies registry class
    PID:7824
  - - C:\Windows\SysWOW64\NETSH.EXE
      "C:\Windows\system32\NETSH.EXE" -f "c:\RTS\Ticketing\PortOpen.txt"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:9636
  - - C:\Windows\SysWOW64\InitWinIo.exe
      C:\Windows\system32\InitWinIo.exe
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\CodeArchitects.AxVBLibraryOCX.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:9668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\CodeArchitects.VBLibrary.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\CodeArchitects.VBLibraryOcx.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10264
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\CodeArchitects.VBMigrationEngine.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Base.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Controls.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Controls.Win.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Database.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Design.dll" /queue
      4⤵
      PID:10356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Editor.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Report.Check.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Report.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Report.Helper.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Stimulsoft.Report.Win.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10592
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.Data.v14.2.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.Printing.v14.2.Core.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.XtraPrinting.v14.2.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.Utils.v14.2.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.Utils.v14.2.UI.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:10920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.XtraEditors.v14.2.dll" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:10928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.XtraScheduler.v14.2.Core.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:11008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.XtraScheduler.v14.2.dll" /queue
      4⤵
      Drops file in Windows directory
      PID:11024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\DevExpress.Docs.v14.2" /queue
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:11124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" install "c:\RTS\Ticketing\Host2.exe" /queue
      4⤵
      Drops file in Windows directory
      PID:10224
  - - C:\rts\rtspostgres\bin\initdb.exe
      "C:\rts\rtspostgres\bin\initdb.exe" -D "C:\rts\rtspostgresdb" -U postgres -E utf8 -A md5 --pwfile "c:\rts\rtspostgres\bin\initpassword.txt"
      4⤵
      Loads dropped DLL
      PID:13204
    - - C:\rts\rtspostgres\bin\initdb.exe
        
        "C:\rts\rtspostgres\bin\initdb.exe" -D "C:\rts\rtspostgresdb" -U postgres -E utf8 -A md5 --pwfile "c:\rts\rtspostgres\bin\initpassword.txt"
        5⤵
        Loads dropped DLL
        
        PID:11392
      - C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" -V
        6⤵
        
        PID:13096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:/rts/rtspostgres/bin/postgres.exe" --boot -x0 -F -c max_connections=100 -c shared_buffers=1000 -c dynamic_shared_memory_type=none < "nul" > "nul" 2>&1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:12744
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" --boot -x0 -F -c max_connections=100 -c shared_buffers=1000 -c dynamic_shared_memory_type=none
        7⤵
        
        PID:13232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:/rts/rtspostgres/bin/postgres.exe" --boot -x0 -F -c max_connections=100 -c shared_buffers=16384 -c dynamic_shared_memory_type=none < "nul" > "nul" 2>&1"
        6⤵
        
        PID:9928
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" --boot -x0 -F -c max_connections=100 -c shared_buffers=16384 -c dynamic_shared_memory_type=none
        7⤵
        
        PID:12960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:/rts/rtspostgres/bin/postgres.exe" --boot -x1 -F "
        6⤵
        
        PID:12772
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" --boot -x1 -F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:/rts/rtspostgres/bin/postgres.exe" --single -F -O -j -c search_path=pg_catalog -c exit_on_error=true template1 >nul"
        6⤵
        
        PID:11656
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" --single -F -O -j -c search_path=pg_catalog -c exit_on_error=true template1
        7⤵
        Loads dropped DLL
        
        PID:12260
  - - C:\rts\rtspostgres\bin\pg_ctl.exe
      "C:\rts\rtspostgres\bin\pg_ctl.exe" start -D "C:\rts\rtspostgresdb"
      4⤵
      PID:11504
    - - C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" -V
        5⤵
        
        PID:11808
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C ""C:/rts/rtspostgres/bin/postgres.exe" -D "C:/rts/rtspostgresdb" < "nul" 2>&1"
        5⤵
        
        PID:11712
      - C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" -D "C:/rts/rtspostgresdb"
        6⤵
        
        PID:12440
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" -V
        7⤵
        
        PID:12164
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forklog" "5296" "5300"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkboot" "5160" "-x2"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9324
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkboot" "5144" "-x4"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12088
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkboot" "5156" "-x3"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11664
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkboot" "5128" "-x5"
        7⤵
        
        PID:10580
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkavlauncher" "5116"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12292
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkcol" "5108"
        7⤵
        
        PID:10528
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkbgworker=0" "5096"
        7⤵
        
        PID:12312
        
        C:\rts\rtspostgres\bin\postgres.exe
        
        "C:/rts/rtspostgres/bin/postgres.exe" "--forkbackend" "5068"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4520
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:5224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2892

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:5936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffec9ca3cb8,0x7ffec9ca3cc8,0x7ffec9ca3cd8
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
    3⤵
    PID:796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
    3⤵
    PID:5900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5496 /prefetch:2
    3⤵
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
    3⤵
    PID:464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
    3⤵
    PID:560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:1
    3⤵
    PID:8232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:8008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1040 /prefetch:8
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:10316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:16820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:17628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:17704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
    3⤵
    PID:16860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:18876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:18892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4288 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:10492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
    3⤵
    PID:23584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
    3⤵
    PID:20980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
    3⤵
    PID:25308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14578371915039334824,577425078385469762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:24288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9044 -ip 9044
1⤵
PID:7408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5424 -ip 5424
1⤵
PID:7224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
1⤵
PID:9172

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8860
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7820

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6912
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7944

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:6956
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:5280

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:8480
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:5180

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:10884
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:11672

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:12960
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14640

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:15788
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16656

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:18412
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:15992
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:17600

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:18572
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:21048

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:23276
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:25508

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:23868
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:26036

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:27512
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:24620

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:29340
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:30928

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:32344
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:33960

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:35540
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:36588
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:34792

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
- Suspicious use of SetThreadContext
PID:28560
- C:\ProgramData\dqhafox\dlupef.exe
  "C:\ProgramData\dqhafox\dlupef.exe"
  2⤵
  PID:38324

C:\ProgramData\dqhafox\dlupef.exe
C:\ProgramData\dqhafox\dlupef.exe
1⤵
PID:40196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery