dcrat | c46112e4d73ebc9078837adc6e71113ca6f485a3f0a3a5437ddb2cae5356b02c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	Solaraexecutor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	BootstrapperV1.23.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 34 IoCs

pid	Process
5504	BootstrapperV1.19.exe
6768	BootstrapperV1.19.exe
1208	Solaraexecutor.exe
6212	BootstrapperV1.23.exe
6228	PerfNET.exe
6464	PerfNET.exe
1936	PerfNET.exe
5068	OfficeClickToRun.exe
3700	PerfNET.exe
6952	PerfNET.exe
4724	Registry.exe
6384	OfficeClickToRun.exe
748	PerfNET.exe
5612	PerfNET.exe
4684	PerfNET.exe
5596	PerfNET.exe
5916	PerfNET.exe
6468	PerfNET.exe
1580	PerfNET.exe
3792	PerfNET.exe
2312	PerfNET.exe
1924	services.exe
2632	services.exe
2452	services.exe
5172	services.exe
6132	services.exe
5964	services.exe
1100	services.exe
6724	services.exe
3704	services.exe
4008	services.exe
6864	services.exe
2532	services.exe
5504	services.exe

Loads dropped DLL 11 IoCs

pid	Process
4472	MsiExec.exe
4472	MsiExec.exe
6740	MsiExec.exe
6740	MsiExec.exe
6740	MsiExec.exe
6740	MsiExec.exe
6740	MsiExec.exe
5124	MsiExec.exe
5124	MsiExec.exe
5124	MsiExec.exe
4472	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1007	6504	msiexec.exe
1009	6504	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
272	drive.google.com
273	drive.google.com
274	drive.google.com
275	drive.google.com
991	pastebin.com
992	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\intersects.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\vuln.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\pipeline.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\depd\lib\compat\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\strip-ansi\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-edit.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\bin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\emoji-regex\es2015\text.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\workspaces.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\should-print-patch.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\line.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\content\read.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\sync.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\array.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\mjs\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\tests.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wide-align\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inflight\inflight.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-prefix.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\signature.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\method-names.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minimatch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\base64-js\base64js.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\state.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\extendStringPrototype.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\role.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\rm\polyfill.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inflight\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\min-version.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agentkeepalive\lib\https_agent.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-help-search.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\edge.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\node_modules\minimatch\lib\path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\ci.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\className.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\link-gently.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\scripts.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\theme-set.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\file.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\encoding\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-root.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\maps\random.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\sort.js	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSI4233.tmp	msiexec.exe
File created	C:\Windows\Registration\CRMLog\sppsvc.exe	PerfNET.exe
File opened for modification	C:\Windows\Installer\MSI3C35.tmp	msiexec.exe
File created	C:\Windows\Installer\e5d2580.msi	msiexec.exe
File created	C:\Windows\Branding\dllhost.exe	PerfNET.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\L2Schemas\notepad.exe	PerfNET.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2ACD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4213.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E38.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Registration\CRMLog\0a1fd5f707cd16	PerfNET.exe
File opened for modification	C:\Windows\Installer\MSI2A3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI607C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62B0.tmp	msiexec.exe
File created	C:\Windows\L2Schemas\e9db699ef0888f	PerfNET.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\e5d257c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Branding\5940a34987c991	PerfNET.exe
File created	C:\Windows\Installer\e5d257c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C65.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4852	PING.EXE
5876	PING.EXE
5200	PING.EXE
3080	PING.EXE
6068	PING.EXE
6140	PING.EXE
3596	PING.EXE
2408	PING.EXE
2812	PING.EXE
7084	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
556	ipconfig.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791046380546368"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 59 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	Solaraexecutor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	services.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\BootstrapperV1.19.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3380	Notepad.exe
984	NOTEPAD.EXE
3404	NOTEPAD.EXE

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
3596	PING.EXE
6068	PING.EXE
2812	PING.EXE
7084	PING.EXE
4852	PING.EXE
5876	PING.EXE
6140	PING.EXE
5200	PING.EXE
3080	PING.EXE
2408	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6600	schtasks.exe
4428	schtasks.exe
4080	schtasks.exe
748	schtasks.exe
6964	schtasks.exe
6108	schtasks.exe
5976	schtasks.exe
3580	schtasks.exe
1860	schtasks.exe
3832	schtasks.exe
1800	schtasks.exe
5356	schtasks.exe
6360	schtasks.exe
1580	schtasks.exe
5956	schtasks.exe
3236	schtasks.exe
4708	schtasks.exe
5116	schtasks.exe
4544	schtasks.exe
5264	schtasks.exe
6496	schtasks.exe
2844	schtasks.exe
2464	schtasks.exe
2088	schtasks.exe
6552	schtasks.exe
4088	schtasks.exe
3328	schtasks.exe
2252	schtasks.exe
1552	schtasks.exe
5572	schtasks.exe
64	schtasks.exe
2312	schtasks.exe
6232	schtasks.exe
5180	schtasks.exe
6536	schtasks.exe
6484	schtasks.exe
3900	schtasks.exe
3420	schtasks.exe
2492	schtasks.exe
6544	schtasks.exe
6500	schtasks.exe
5368	schtasks.exe
4656	schtasks.exe
1656	schtasks.exe
1744	schtasks.exe
6736	schtasks.exe
6564	schtasks.exe
2392	schtasks.exe
5020	schtasks.exe
6732	schtasks.exe
5616	schtasks.exe
5320	schtasks.exe
4364	schtasks.exe
3020	schtasks.exe
3584	schtasks.exe
2976	schtasks.exe
5556	schtasks.exe
5932	schtasks.exe
6600	schtasks.exe
4792	schtasks.exe
6116	schtasks.exe
892	schtasks.exe
4392	schtasks.exe
7064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3304	msedge.exe
3304	msedge.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6064	chrome.exe
6064	chrome.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6324	7zFM.exe
7160	7zFM.exe
6340	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3304	msedge.exe
3304	msedge.exe
3304	msedge.exe
6064	chrome.exe
6064	chrome.exe
6064	chrome.exe
6064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeDebugPrivilege	3812	firefox.exe
Token: 33	2072	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2072	AUDIODG.EXE
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeRestorePrivilege	6324	7zFM.exe
Token: 35	6324	7zFM.exe
Token: SeSecurityPrivilege	6324	7zFM.exe
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeDebugPrivilege	3812	firefox.exe
Token: SeDebugPrivilege	6436	taskmgr.exe
Token: SeSystemProfilePrivilege	6436	taskmgr.exe
Token: SeCreateGlobalPrivilege	6436	taskmgr.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe
Token: SeCreatePagefilePrivilege	6064	chrome.exe
Token: SeShutdownPrivilege	6064	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3304	msedge.exe
3304	msedge.exe
3304	msedge.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
6324	7zFM.exe
6324	7zFM.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe
6436	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe
3812	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 3304	2640	cmd.exe	82
PID 2640 wrote to memory of 3304	2640	cmd.exe	82
PID 3304 wrote to memory of 2388	3304	msedge.exe	84
PID 3304 wrote to memory of 2388	3304	msedge.exe	84
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3676	3304	msedge.exe	86
PID 3304 wrote to memory of 3688	3304	msedge.exe	87
PID 3304 wrote to memory of 3688	3304	msedge.exe	87
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88
PID 3304 wrote to memory of 2448	3304	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Hid.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/ODii
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x128,0x12c,0xdc,0x130,0x7ffd77b746f8,0x7ffd77b74708,0x7ffd77b74718
    3⤵
    PID:2388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:2448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1988002871371774138,10506946971577847054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1244

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec173f2f-595c-47cd-a240-071304ebbe8b} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" gpu
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {707aa04c-078d-4720-86a7-3011f9e578bb} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" socket
    3⤵
    - Checks processor information in registry
    PID:1656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2652 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3008 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a693af3d-8bf8-4b9a-9158-2d775998053c} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -childID 2 -isForBrowser -prefsHandle 4120 -prefMapHandle 4116 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1375899c-f364-4b65-82cc-4a9a9451bddc} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4808 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d96dac95-62c1-45d8-9953-cef976d1bb02} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" utility
    3⤵
    - Checks processor information in registry
    PID:6056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {809f2821-6e14-4f90-a154-1ae624fb183d} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 4948 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd2159d2-f820-4b97-8fa6-e91854d46aff} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5840 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d51ee9a-f227-4dff-8c4e-3bc3c166fcd1} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:6136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6100 -childID 6 -isForBrowser -prefsHandle 6092 -prefMapHandle 6088 -prefsLen 27158 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9842bf4-d6cb-4de2-bdf1-c7a570f18cf0} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6436 -parentBuildID 20240401114208 -prefsHandle 6416 -prefMapHandle 6404 -prefsLen 29305 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4987ca9-85f5-4f35-9965-747706d16c79} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" rdd
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6444 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6428 -prefMapHandle 6424 -prefsLen 29305 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10e2a8a8-eb59-40c6-aabb-6c13c7c66b3e} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" utility
    3⤵
    - Checks processor information in registry
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3864 -childID 7 -isForBrowser -prefsHandle 2540 -prefMapHandle 6804 -prefsLen 27158 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30f336c0-75cb-4cf2-97aa-28f959dbed59} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7008 -childID 8 -isForBrowser -prefsHandle 6928 -prefMapHandle 6932 -prefsLen 27158 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3be56f8-e2ea-416d-8090-bdb7dc53f5bc} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6776 -childID 9 -isForBrowser -prefsHandle 6748 -prefMapHandle 6784 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5e85064-b356-4cde-a119-77b6ee003a9c} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6160 -childID 10 -isForBrowser -prefsHandle 6172 -prefMapHandle 6064 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e6a7426-b652-478e-99d4-955e972e1888} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:1264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6824 -childID 11 -isForBrowser -prefsHandle 3848 -prefMapHandle 6912 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3f9d14d-dd0a-49ec-9cfe-e4053238e4f3} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6860 -childID 12 -isForBrowser -prefsHandle 6872 -prefMapHandle 7560 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93494db1-8bd0-42cf-9f0b-2a080c185f0f} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7032 -childID 13 -isForBrowser -prefsHandle 7088 -prefMapHandle 7084 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e9b50d-7ef9-4841-b613-a836e4972311} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7688 -childID 14 -isForBrowser -prefsHandle 7664 -prefMapHandle 7652 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01db17fe-6a34-4fde-8339-7b4a18b1e4c8} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7252 -childID 15 -isForBrowser -prefsHandle 7632 -prefMapHandle 7648 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e4a3e3-d797-46f8-ab0f-c7cc1dbdcab4} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8400 -childID 16 -isForBrowser -prefsHandle 8320 -prefMapHandle 8328 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe7f827f-6999-4d8c-8765-487633a6285c} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:2508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8540 -childID 17 -isForBrowser -prefsHandle 8528 -prefMapHandle 8532 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a5ec238-0388-49e5-b1d9-48e27afc5d8f} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:2472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8728 -childID 18 -isForBrowser -prefsHandle 8704 -prefMapHandle 8712 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f883fd85-80f3-4c1d-9fa9-763f67de7a5e} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8608 -childID 19 -isForBrowser -prefsHandle 8940 -prefMapHandle 8944 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4396fbe6-7a3a-4cfc-a115-f13a1e98ef9c} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:3140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9228 -childID 20 -isForBrowser -prefsHandle 9220 -prefMapHandle 9116 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5037561a-39c1-42eb-be99-96dd881fc5ed} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 21 -isForBrowser -prefsHandle 9160 -prefMapHandle 9228 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5ab5be8-b866-4b08-80db-83a48bccb251} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8172 -childID 22 -isForBrowser -prefsHandle 8596 -prefMapHandle 8592 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4154b96-a70a-4b0e-91b0-82966648b9f8} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8512 -childID 23 -isForBrowser -prefsHandle 9116 -prefMapHandle 8956 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3782739-5661-4210-82d7-23689b56b98b} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8864 -childID 24 -isForBrowser -prefsHandle 7264 -prefMapHandle 8840 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {299e4696-ed9a-465c-842a-1dc5acc6f744} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8280 -childID 25 -isForBrowser -prefsHandle 7520 -prefMapHandle 3284 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3015e18d-da7e-4116-ae5c-78ad13d3e2eb} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7188 -childID 26 -isForBrowser -prefsHandle 7124 -prefMapHandle 3868 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e3df4c4-6c8c-46bf-b7d8-4d9291c89d1b} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:2936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7500 -childID 27 -isForBrowser -prefsHandle 9360 -prefMapHandle 7692 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1bc4e37-c476-425b-8c6a-2d7116e2c042} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6820 -childID 28 -isForBrowser -prefsHandle 9484 -prefMapHandle 6836 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d0619b8-4282-4f47-a3ec-23b4f42d236b} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:6344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9468 -childID 29 -isForBrowser -prefsHandle 8180 -prefMapHandle 7820 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9728eb5d-7cc0-4678-9654-4612c12b64d5} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:6352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9156 -childID 30 -isForBrowser -prefsHandle 8956 -prefMapHandle 8424 -prefsLen 28122 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {065f2574-c7ae-431d-a9e7-b923175314ff} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:6360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9464 -childID 31 -isForBrowser -prefsHandle 8812 -prefMapHandle 7536 -prefsLen 30701 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d19603b6-b124-4d54-82c8-734941edcb4a} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10312 -childID 32 -isForBrowser -prefsHandle 10308 -prefMapHandle 10304 -prefsLen 28162 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae6bff5a-0aeb-49ac-8164-13b23331b5d7} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:6748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6344 -childID 33 -isForBrowser -prefsHandle 9608 -prefMapHandle 9524 -prefsLen 28162 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b5f761-b707-4d79-b2f6-6a0856d8ae64} 3812 "\\.\pipe\gecko-crash-server-pipe.3812" tab
    3⤵
    PID:7164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6916

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BootstrapperV1.19.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd6922cc40,0x7ffd6922cc4c,0x7ffd6922cc58
  2⤵
  PID:5432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4508,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:6580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  PID:6812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5360,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5148,i,10058913673321807747,12629333845693553487,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:5568

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3344

C:\Users\Admin\Desktop\BootstrapperV1.19.exe
"C:\Users\Admin\Desktop\BootstrapperV1.19.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5504
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6768
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe" --isUpdate true
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6212
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ipconfig /all
      4⤵
      PID:1172
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:556
  - - C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      4⤵
      PID:6676
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:6972
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:6228
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        
        PID:3772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        
        PID:1328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\SppExtComObj.exe'
        6⤵
        
        PID:2220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2424
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HWoyrIkOXn.bat"
        6⤵
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:6340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6504
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9F1622552D200DDAB716B8E5DBA80F9B
  2⤵
  - Loads dropped DLL
  PID:4472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE944FB42782CC31673F329CF447448E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 022EF14883F3DBE9F5BF74E46F8CB041 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5124
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7072
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:4060

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\BootstrapperV1.19.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:7160

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe
1⤵
- Opens file in notepad (likely ransom note)
PID:3380

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5sOqbfN.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:984

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\DISCORD"
1⤵
PID:5144

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\5sOqbfN.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3404

C:\Users\Admin\Desktop\PerfNET.exe
"C:\Users\Admin\Desktop\PerfNET.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:6312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  PID:5700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msiexec.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\msedge.exe'
  2⤵
  PID:5788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\chrome.exe'
  2⤵
  PID:5176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\ApplicationFrameHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PerfNET.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mFprvTfBTu.bat"
  2⤵
  PID:5816
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6964
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4852
- - C:\Recovery\WindowsRE\OfficeClickToRun.exe
    "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:5068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qf9bALi5DQ.bat"
      4⤵
      PID:2116
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4900
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5876
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        5⤵
        Executes dropped EXE
        
        PID:6384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default User\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\Default\Recent\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ef8394841442c3"
1⤵
PID:3772

C:\Users\Admin\Desktop\PerfNET.exe
"C:\Users\Admin\Desktop\PerfNET.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:6400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  PID:6840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:6592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\unsecapp.exe'
  2⤵
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\notepad.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\wininit.exe'
  2⤵
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PerfNET.exe'
  2⤵
  PID:4032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tr3YOaQkiZ.bat"
  2⤵
  PID:952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5568
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4080
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe"
    3⤵
    - Executes dropped EXE
    PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\notepad.exe'" /f
1⤵
- Process spawned unexpected child process
PID:6616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepad" /sc ONLOGON /tr "'C:\Windows\L2Schemas\notepad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "notepadn" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\notepad.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Users\Admin\Desktop\PerfNET.exe
"C:\Users\Admin\Desktop\PerfNET.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPELUvEZwh.bat"
  2⤵
  PID:4992
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2160
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2804
- - C:\Users\Admin\Desktop\PerfNET.exe
    "C:\Users\Admin\Desktop\PerfNET.exe"
    3⤵
    - Executes dropped EXE
    PID:748

C:\Users\Admin\Desktop\PerfNET.exe
"C:\Users\Admin\Desktop\PerfNET.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:6812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\ApplicationFrameHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PerfNET.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kzjdnn1aoP.bat"
  2⤵
  PID:5972
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6536
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5876
- - C:\Users\Admin\Desktop\PerfNET.exe
    "C:\Users\Admin\Desktop\PerfNET.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    PID:5612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\alQR4bHbbG.bat"
      4⤵
      PID:4192
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5360
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6140
    - - C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yjLtiCBkS.bat"
        6⤵
        
        PID:6568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1940
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HLyChA1PXA.bat"
        8⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:6132
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2juDPxCKYX.bat"
        10⤵
        
        PID:6720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1704
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYG6WIxzfM.bat"
        12⤵
        
        PID:6528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3596
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Styje6hwPL.bat"
        14⤵
        
        PID:6624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5200
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE5h37GJz6.bat"
        16⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:6240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3320
        
        C:\Users\Admin\Desktop\PerfNET.exe
        
        "C:\Users\Admin\Desktop\PerfNET.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        18⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        18⤵
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        18⤵
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\ApplicationFrameHost.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\nodejs\node_modules\npm\node_modules\unsecapp.exe'
        18⤵
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'
        18⤵
        
        PID:6396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\dllhost.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\PerfNET.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDmoTHZlW8.bat"
        18⤵
        
        PID:6468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3080
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat"
        20⤵
        
        PID:6656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\COegk83zmU.bat"
        22⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4712
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat"
        24⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4384
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\COegk83zmU.bat"
        26⤵
        
        PID:1976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1980
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7gEkM0BkJD.bat"
        28⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:6508
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat"
        30⤵
        
        PID:6896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6068
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zasSNaUvot.bat"
        32⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:6884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:1224
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4XCyKdTKaY.bat"
        34⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8EsK2bkKJG.bat"
        36⤵
        
        PID:3784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:6708
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XJaDrOzS3U.bat"
        38⤵
        
        PID:6856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7084
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xv8ebS6cyh.bat"
        40⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:5976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3440
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mLBZigXOC1.bat"
        42⤵
        
        PID:6688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:6684
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xv8ebS6cyh.bat"
        44⤵
        
        PID:4900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
1⤵
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:6768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Recovery\OEM\ApplicationFrameHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Recovery\OEM\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\Recovery\OEM\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\nodejs\node_modules\npm\node_modules\unsecapp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\nodejs\node_modules\npm\node_modules\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\nodejs\node_modules\npm\node_modules\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
PID:6776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
PID:6804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:6460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Branding\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /f
1⤵
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery