njrat | 3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76b83be2029547c996fd60d5c1bb3a0a.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6fd75da541f0493990717c56c72665b3.exe

Disables Task Manager via registry modification
defense_evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76b83be2029547c996fd60d5c1bb3a0a.exe"	76b83be2029547c996fd60d5c1bb3a0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	76b83be2029547c996fd60d5c1bb3a0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76b83be2029547c996fd60d5c1bb3a0a.exe"	76b83be2029547c996fd60d5c1bb3a0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	76b83be2029547c996fd60d5c1bb3a0a.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
5632	icacls.exe
1652	takeown.exe
7756	icacls.exe

Executes dropped EXE 7 IoCs

pid	Process
6000	74c6e07ee1f544bb962fd0c483b25fdb.exe
3788	6fd75da541f0493990717c56c72665b3.exe
1076	b1bfaf55f930427fadc2c75873c56404.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5796	76b83be2029547c996fd60d5c1bb3a0a.exe
3112	76b83be2029547c996fd60d5c1bb3a0a.exe
2156	76b83be2029547c996fd60d5c1bb3a0a.exe

Modifies file permissions 1 TTPs 3 IoCs

File and Directory Permissions Modification

T1222

pid	Process
5632	icacls.exe
1652	takeown.exe
7756	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76b83be2029547c996fd60d5c1bb3a0a.exe"	76b83be2029547c996fd60d5c1bb3a0a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76b83be2029547c996fd60d5c1bb3a0a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6768	powercfg.exe
2432	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	6fd75da541f0493990717c56c72665b3.exe
File opened for modification	\??\PhysicalDrive0	b1bfaf55f930427fadc2c75873c56404.exe
File opened for modification	\??\PhysicalDrive0	76b83be2029547c996fd60d5c1bb3a0a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mapi32.dll	fixmapi.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Process Discovery

T1057

pid	Process
688	tasklist.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b213-41.dat	upx
behavioral1/memory/5228-45-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5796-48-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5796-50-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-75-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-114-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3112-139-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-228-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2156-278-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2156-279-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-350-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-407-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-481-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-552-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-592-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/6472-596-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3716-622-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3716-626-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-630-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-776-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5228-836-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/8120-893-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/8120-895-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5452-938-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/5452-940-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ieUnatt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ieUnatt.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ieUnatt.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File created	C:\Windows\FONTS\eudcadm.tte	eudcedit.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	ieUnatt.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3884	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
6732	runas.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2144	776	WerFault.exe	166
6600	3804	WerFault.exe	359
7228	8176	WerFault.exe	600
6988	7384	WerFault.exe	646
7612	7504	WerFault.exe	721

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkntfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1bfaf55f930427fadc2c75873c56404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskusage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pisun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74c6e07ee1f544bb962fd0c483b25fdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dism.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eudcedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76b83be2029547c996fd60d5c1bb3a0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cttune.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DevicePairingWizard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpresult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcomcnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdwwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lodctr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eventvwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	finger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doskey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktmutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edpnotify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOSTNAME.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76b83be2029547c996fd60d5c1bb3a0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efsui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorAuthn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eventcreate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudNotifications.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76b83be2029547c996fd60d5c1bb3a0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CredentialUIBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfrgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskperf.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
6540	PING.EXE
6208	RpcPing.exe
6356	TRACERT.EXE
4272	PATHPING.EXE
4612	PING.EXE
6332	PATHPING.EXE

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	ddodiag.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\en-US	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\001B	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\en	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c439ff0-9cf7-43cd-961e-9299a4c6c157}\0064	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\en	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c439ff0-9cf7-43cd-961e-9299a4c6c157}\0064	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0006	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ContainerID	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0010	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000D	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0012	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E\	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UINumber	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\000B	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\RemovalPolicy	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\en-US	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\en-US	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0002	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\en-US	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceType	ddodiag.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0002	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0012	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\000E	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009\	ddodiag.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0005	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumber	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Security	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0007\	ddodiag.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	ddodiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0006	ddodiag.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1504	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	label.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
984	ipconfig.exe
1620	NETSTAT.EXE
7632	ipconfig.exe
2812	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
6952	systeminfo.exe

Kills process with taskkill 1 IoCs

pid	Process
6832	taskkill.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	certreq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	certreq.exe
Key created	\Registry\User\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\NotificationData	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	certreq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	certreq.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{9E7541DC-03ED-468E-8E7D-368289FC3BF2}	svchost.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6540	PING.EXE
4612	PING.EXE

Runs regedit.exe 4 IoCs

pid	Process
7088	regedit.exe
6264	regedit.exe
7448	regedit.exe
7324	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	pisun.exe
3452	pisun.exe
3452	pisun.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3788	6fd75da541f0493990717c56c72665b3.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1068	msedge.exe
1068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: 33	2500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2500	AUDIODG.EXE
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: 33	3452	pisun.exe
Token: SeIncBasePriorityPrivilege	3452	pisun.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe
Token: SeSystemtimePrivilege	3788	6fd75da541f0493990717c56c72665b3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	DevicePairingWizard.exe
1068	msedge.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
5676	Calculator.exe
3644	certreq.exe
5276	CloudNotifications.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5796	76b83be2029547c996fd60d5c1bb3a0a.exe
6068	mmc.exe
1276	DevicePairingWizard.exe
5364	eudcedit.exe
5364	eudcedit.exe
3112	76b83be2029547c996fd60d5c1bb3a0a.exe
2156	76b83be2029547c996fd60d5c1bb3a0a.exe
1212	Magnify.exe
1212	Magnify.exe
1212	Magnify.exe
1212	Magnify.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
1212	Magnify.exe
1212	Magnify.exe
5712	charmap.exe
5712	charmap.exe
1068	msedge.exe
1068	msedge.exe
1212	Magnify.exe
3644	certreq.exe
3644	certreq.exe
5676	Calculator.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe
5228	76b83be2029547c996fd60d5c1bb3a0a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 6000	3452	pisun.exe	79
PID 3452 wrote to memory of 6000	3452	pisun.exe	79
PID 3452 wrote to memory of 6000	3452	pisun.exe	79
PID 3452 wrote to memory of 3788	3452	pisun.exe	81
PID 3452 wrote to memory of 3788	3452	pisun.exe	81
PID 3452 wrote to memory of 3788	3452	pisun.exe	81
PID 3452 wrote to memory of 1076	3452	pisun.exe	84
PID 3452 wrote to memory of 1076	3452	pisun.exe	84
PID 3452 wrote to memory of 1076	3452	pisun.exe	84
PID 1076 wrote to memory of 5092	1076	b1bfaf55f930427fadc2c75873c56404.exe	85
PID 1076 wrote to memory of 5092	1076	b1bfaf55f930427fadc2c75873c56404.exe	85
PID 1076 wrote to memory of 5092	1076	b1bfaf55f930427fadc2c75873c56404.exe	85
PID 3788 wrote to memory of 2324	3788	6fd75da541f0493990717c56c72665b3.exe	87
PID 3788 wrote to memory of 2324	3788	6fd75da541f0493990717c56c72665b3.exe	87
PID 3788 wrote to memory of 2324	3788	6fd75da541f0493990717c56c72665b3.exe	87
PID 3788 wrote to memory of 2568	3788	6fd75da541f0493990717c56c72665b3.exe	89
PID 3788 wrote to memory of 2568	3788	6fd75da541f0493990717c56c72665b3.exe	89
PID 3788 wrote to memory of 2568	3788	6fd75da541f0493990717c56c72665b3.exe	89
PID 3788 wrote to memory of 4796	3788	6fd75da541f0493990717c56c72665b3.exe	91
PID 3788 wrote to memory of 4796	3788	6fd75da541f0493990717c56c72665b3.exe	91
PID 3788 wrote to memory of 4796	3788	6fd75da541f0493990717c56c72665b3.exe	91
PID 3788 wrote to memory of 2140	3788	6fd75da541f0493990717c56c72665b3.exe	94
PID 3788 wrote to memory of 2140	3788	6fd75da541f0493990717c56c72665b3.exe	94
PID 3788 wrote to memory of 2140	3788	6fd75da541f0493990717c56c72665b3.exe	94
PID 3788 wrote to memory of 4264	3788	6fd75da541f0493990717c56c72665b3.exe	96
PID 3788 wrote to memory of 4264	3788	6fd75da541f0493990717c56c72665b3.exe	96
PID 3788 wrote to memory of 4264	3788	6fd75da541f0493990717c56c72665b3.exe	96
PID 3788 wrote to memory of 2824	3788	6fd75da541f0493990717c56c72665b3.exe	97
PID 3788 wrote to memory of 2824	3788	6fd75da541f0493990717c56c72665b3.exe	97
PID 3788 wrote to memory of 2824	3788	6fd75da541f0493990717c56c72665b3.exe	97
PID 3788 wrote to memory of 4708	3788	6fd75da541f0493990717c56c72665b3.exe	99
PID 3788 wrote to memory of 4708	3788	6fd75da541f0493990717c56c72665b3.exe	99
PID 3788 wrote to memory of 4708	3788	6fd75da541f0493990717c56c72665b3.exe	99
PID 3788 wrote to memory of 1328	3788	6fd75da541f0493990717c56c72665b3.exe	102
PID 3788 wrote to memory of 1328	3788	6fd75da541f0493990717c56c72665b3.exe	102
PID 3788 wrote to memory of 1328	3788	6fd75da541f0493990717c56c72665b3.exe	102
PID 3788 wrote to memory of 5508	3788	6fd75da541f0493990717c56c72665b3.exe	103
PID 3788 wrote to memory of 5508	3788	6fd75da541f0493990717c56c72665b3.exe	103
PID 3788 wrote to memory of 5508	3788	6fd75da541f0493990717c56c72665b3.exe	103
PID 3788 wrote to memory of 3748	3788	6fd75da541f0493990717c56c72665b3.exe	104
PID 3788 wrote to memory of 3748	3788	6fd75da541f0493990717c56c72665b3.exe	104
PID 3788 wrote to memory of 3748	3788	6fd75da541f0493990717c56c72665b3.exe	104
PID 3788 wrote to memory of 5196	3788	6fd75da541f0493990717c56c72665b3.exe	106
PID 3788 wrote to memory of 5196	3788	6fd75da541f0493990717c56c72665b3.exe	106
PID 3788 wrote to memory of 5196	3788	6fd75da541f0493990717c56c72665b3.exe	106
PID 3788 wrote to memory of 5372	3788	6fd75da541f0493990717c56c72665b3.exe	108
PID 3788 wrote to memory of 5372	3788	6fd75da541f0493990717c56c72665b3.exe	108
PID 3788 wrote to memory of 5372	3788	6fd75da541f0493990717c56c72665b3.exe	108
PID 3788 wrote to memory of 3132	3788	6fd75da541f0493990717c56c72665b3.exe	110
PID 3788 wrote to memory of 3132	3788	6fd75da541f0493990717c56c72665b3.exe	110
PID 3788 wrote to memory of 3132	3788	6fd75da541f0493990717c56c72665b3.exe	110
PID 3788 wrote to memory of 2028	3788	6fd75da541f0493990717c56c72665b3.exe	112
PID 3788 wrote to memory of 2028	3788	6fd75da541f0493990717c56c72665b3.exe	112
PID 3788 wrote to memory of 2028	3788	6fd75da541f0493990717c56c72665b3.exe	112
PID 3788 wrote to memory of 4860	3788	6fd75da541f0493990717c56c72665b3.exe	116
PID 3788 wrote to memory of 4860	3788	6fd75da541f0493990717c56c72665b3.exe	116
PID 3788 wrote to memory of 4860	3788	6fd75da541f0493990717c56c72665b3.exe	116
PID 3788 wrote to memory of 5124	3788	6fd75da541f0493990717c56c72665b3.exe	117
PID 3788 wrote to memory of 5124	3788	6fd75da541f0493990717c56c72665b3.exe	117
PID 3788 wrote to memory of 5124	3788	6fd75da541f0493990717c56c72665b3.exe	117
PID 3788 wrote to memory of 3644	3788	6fd75da541f0493990717c56c72665b3.exe	120
PID 3788 wrote to memory of 3644	3788	6fd75da541f0493990717c56c72665b3.exe	120
PID 3788 wrote to memory of 3644	3788	6fd75da541f0493990717c56c72665b3.exe	120
PID 3788 wrote to memory of 5492	3788	6fd75da541f0493990717c56c72665b3.exe	123

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	76b83be2029547c996fd60d5c1bb3a0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	76b83be2029547c996fd60d5c1bb3a0a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	76b83be2029547c996fd60d5c1bb3a0a.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2824	attrib.exe
2112	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pisun.exe
"C:\Users\Admin\AppData\Local\Temp\pisun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\74c6e07ee1f544bb962fd0c483b25fdb.exe
  "C:\Users\Admin\AppData\Local\Temp\74c6e07ee1f544bb962fd0c483b25fdb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\6fd75da541f0493990717c56c72665b3.exe
  "C:\Users\Admin\AppData\Local\Temp\6fd75da541f0493990717c56c72665b3.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\agentactivationruntimestarter.exe
    "C:\Windows\System32\agentactivationruntimestarter.exe"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\appidtel.exe
    "C:\Windows\System32\appidtel.exe"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\ARP.EXE
    "C:\Windows\System32\ARP.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\AtBroker.exe
    "C:\Windows\System32\AtBroker.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4264
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:2824
- - C:\Windows\SysWOW64\auditpol.exe
    "C:\Windows\System32\auditpol.exe"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\autochk.exe
    "C:\Windows\System32\autochk.exe"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\backgroundTaskHost.exe
    "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\BackgroundTransferHost.exe
    "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3748
- - C:\Windows\SysWOW64\bthudtask.exe
    "C:\Windows\System32\bthudtask.exe"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\ByteCodeGenerator.exe
    "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3132
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\CameraSettingsUIHost.exe
    "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Windows\SysWOW64\CertEnrollCtrl.exe
    "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\certreq.exe
    "C:\Windows\System32\certreq.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3644
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe"
    3⤵
    - Manipulates Digital Signatures
    - System Location Discovery: System Language Discovery
    PID:5492
- - C:\Windows\SysWOW64\charmap.exe
    "C:\Windows\System32\charmap.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5712
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5456
- - C:\Windows\SysWOW64\chkdsk.exe
    "C:\Windows\System32\chkdsk.exe"
    3⤵
    - Enumerates system info in registry
    PID:352
- - C:\Windows\SysWOW64\chkntfs.exe
    "C:\Windows\System32\chkntfs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:996
- - C:\Windows\SysWOW64\choice.exe
    "C:\Windows\System32\choice.exe"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\cipher.exe
    "C:\Windows\System32\cipher.exe"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\System32\cleanmgr.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:4852
- - C:\Windows\SysWOW64\cliconfg.exe
    "C:\Windows\System32\cliconfg.exe"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\System32\clip.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5752
- - C:\Windows\SysWOW64\CloudNotifications.exe
    "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\cmdkey.exe
    "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\System32\cmdl32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- - C:\Windows\SysWOW64\cmmon32.exe
    "C:\Windows\System32\cmmon32.exe"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\System32\cmstp.exe"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\colorcpl.exe
    "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\comp.exe
    "C:\Windows\System32\comp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
- - C:\Windows\SysWOW64\compact.exe
    "C:\Windows\System32\compact.exe"
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5708
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3748
- - C:\Windows\SysWOW64\convert.exe
    "C:\Windows\System32\convert.exe"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\CredentialUIBroker.exe
    "C:\Windows\System32\CredentialUIBroker.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:240
- - C:\Windows\SysWOW64\credwiz.exe
    "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:680
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\System32\ctfmon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 736
      4⤵
      Program crash
      PID:2144
- - C:\Windows\SysWOW64\cttune.exe
    "C:\Windows\System32\cttune.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5760
- - C:\Windows\SysWOW64\cttunesvr.exe
    "C:\Windows\System32\cttunesvr.exe"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\curl.exe
    "C:\Windows\System32\curl.exe"
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\dccw.exe
    "C:\Windows\System32\dccw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5424
- - C:\Windows\SysWOW64\dcomcnfg.exe
    "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
  - - C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6068
- - C:\Windows\SysWOW64\ddodiag.exe
    "C:\Windows\System32\ddodiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:440
- - C:\Windows\SysWOW64\DevicePairingWizard.exe
    "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1276
- - C:\Windows\SysWOW64\dfrgui.exe
    "C:\Windows\System32\dfrgui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5340
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\System32\dialer.exe"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\diskpart.exe
    "C:\Windows\System32\diskpart.exe"
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\System32\diskperf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
- - C:\Windows\SysWOW64\diskusage.exe
    "C:\Windows\System32\diskusage.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
- - C:\Windows\SysWOW64\Dism.exe
    "C:\Windows\System32\Dism.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3680
- - C:\Windows\SysWOW64\dllhost.exe
    "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\dllhst3g.exe
    "C:\Windows\System32\dllhst3g.exe"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\doskey.exe
    "C:\Windows\System32\doskey.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Windows\SysWOW64\dpapimig.exe
    "C:\Windows\System32\dpapimig.exe"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\DpiScaling.exe
    "C:\Windows\System32\DpiScaling.exe"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\driverquery.exe
    "C:\Windows\System32\driverquery.exe"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\dtdump.exe
    "C:\Windows\System32\dtdump.exe"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\dvdplay.exe
    "C:\Windows\System32\dvdplay.exe"
    3⤵
    PID:1144
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      /device:dvd
      4⤵
      PID:2316
    - - C:\Windows\SysWOW64\unregmp2.exe
        
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:772
      - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        6⤵
        Enumerates connected drives
        
        PID:5372
- - C:\Windows\SysWOW64\DWWIN.EXE
    "C:\Windows\System32\DWWIN.EXE"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\System32\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
- - C:\Windows\SysWOW64\EaseOfAccessDialog.exe
    "C:\Windows\System32\EaseOfAccessDialog.exe"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\edpnotify.exe
    "C:\Windows\System32\edpnotify.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\efsui.exe
    "C:\Windows\System32\efsui.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5988
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- - C:\Windows\SysWOW64\esentutl.exe
    "C:\Windows\System32\esentutl.exe"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\eudcedit.exe
    "C:\Windows\System32\eudcedit.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5364
- - C:\Windows\SysWOW64\eventcreate.exe
    "C:\Windows\System32\eventcreate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
- - C:\Windows\SysWOW64\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5640
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3428
- - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
    C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe "C:\Windows\System32\explorer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3112
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\System32\extrac32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\fc.exe
    "C:\Windows\System32\fc.exe"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\find.exe
    "C:\Windows\System32\find.exe"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\findstr.exe
    "C:\Windows\System32\findstr.exe"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\finger.exe
    "C:\Windows\System32\finger.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
- - C:\Windows\SysWOW64\fixmapi.exe
    "C:\Windows\System32\fixmapi.exe"
    3⤵
    - Drops file in System32 directory
    PID:4944
- - C:\Windows\SysWOW64\fltMC.exe
    "C:\Windows\System32\fltMC.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\Fondue.exe
    "C:\Windows\System32\Fondue.exe"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3196
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe"
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\fsquirt.exe
    "C:\Windows\System32\fsquirt.exe"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\fsutil.exe
    "C:\Windows\System32\fsutil.exe"
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x370,0x7fffcc24f208,0x7fffcc24f214,0x7fffcc24f220
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1668,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:11
      4⤵
      PID:3184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2340,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:13
      4⤵
      PID:3936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3372,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      PID:2872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3364,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      PID:3420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:14
      4⤵
      PID:6756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5080,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:14
      4⤵
      PID:6744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5072,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:14
      4⤵
      PID:6684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:14
      4⤵
      PID:6472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:14
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2024,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:14
      4⤵
      PID:6336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:14
      4⤵
      PID:7552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1140
        5⤵
        
        PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6652,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:14
      4⤵
      PID:7920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6652,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:14
      4⤵
      PID:7940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=2460,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:1
      4⤵
      PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5424,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6880,i,13598466090226479655,6736429928211619139,262144 --variations-seed-version --mojo-platform-channel-handle=1880 /prefetch:10
      4⤵
      PID:2368
- - C:\Windows\SysWOW64\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\GamePanel.exe
    "C:\Windows\System32\GamePanel.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\getmac.exe
    "C:\Windows\System32\getmac.exe"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\gpresult.exe
    "C:\Windows\System32\gpresult.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Windows\SysWOW64\gpscript.exe
    "C:\Windows\System32\gpscript.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368
- - C:\Windows\SysWOW64\gpupdate.exe
    "C:\Windows\System32\gpupdate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- - C:\Windows\SysWOW64\grpconv.exe
    "C:\Windows\System32\grpconv.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012
- - C:\Windows\SysWOW64\hdwwiz.exe
    "C:\Windows\System32\hdwwiz.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6008
- - C:\Windows\SysWOW64\help.exe
    "C:\Windows\System32\help.exe"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\hh.exe
    "C:\Windows\System32\hh.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    "C:\Windows\System32\HOSTNAME.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:72
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5632
- - C:\Windows\SysWOW64\icsunattend.exe
    "C:\Windows\System32\icsunattend.exe"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\ieUnatt.exe
    "C:\Windows\System32\ieUnatt.exe"
    3⤵
    - Drops file in Windows directory
    PID:1280
- - C:\Windows\SysWOW64\iexpress.exe
    "C:\Windows\System32\iexpress.exe"
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    "C:\Windows\System32\InfDefaultInstall.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\InputSwitchToastHandler.exe
    "C:\Windows\System32\InputSwitchToastHandler.exe"
    3⤵
    PID:776
- - C:\Windows\SysWOW64\instnm.exe
    "C:\Windows\System32\instnm.exe"
    3⤵
    PID:5536
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe"
    3⤵
    - Gathers network information
    PID:984
- - C:\Windows\SysWOW64\iscsicli.exe
    "C:\Windows\System32\iscsicli.exe"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\iscsicpl.exe
    "C:\Windows\System32\iscsicpl.exe"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\System32\isoburn.exe"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\ktmutil.exe
    "C:\Windows\System32\ktmutil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Windows\SysWOW64\label.exe
    "C:\Windows\System32\label.exe"
    3⤵
    - Enumerates system info in registry
    PID:1144
- - C:\Windows\SysWOW64\LaunchTM.exe
    "C:\Windows\System32\LaunchTM.exe"
    3⤵
    PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
      C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe "C:\Windows\System32\Taskmgr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2156
- - C:\Windows\SysWOW64\LaunchWinApp.exe
    "C:\Windows\System32\LaunchWinApp.exe"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\System32\lodctr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:72
- - C:\Windows\SysWOW64\logagent.exe
    "C:\Windows\System32\logagent.exe"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\logman.exe
    "C:\Windows\System32\logman.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5632
- - C:\Windows\SysWOW64\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1212
- - C:\Windows\SysWOW64\makecab.exe
    "C:\Windows\System32\makecab.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5216
- - C:\Windows\SysWOW64\mavinject.exe
    "C:\Windows\System32\mavinject.exe"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\mcbuilder.exe
    "C:\Windows\System32\mcbuilder.exe"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\mfpmp.exe
    "C:\Windows\System32\mfpmp.exe"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\mmgaserver.exe
    "C:\Windows\System32\mmgaserver.exe"
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\mobsync.exe
    "C:\Windows\System32\mobsync.exe"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\mountvol.exe
    "C:\Windows\System32\mountvol.exe"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\MRINFO.EXE
    "C:\Windows\System32\MRINFO.EXE"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\msdt.exe
    "C:\Windows\System32\msdt.exe"
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\msfeedssync.exe
    "C:\Windows\System32\msfeedssync.exe"
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\msinfo32.exe
    "C:\Windows\System32\msinfo32.exe"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\msra.exe
    "C:\Windows\System32\msra.exe"
    3⤵
    PID:4152
  - - C:\Windows\system32\msra.exe
      "C:\Windows\system32\msra.exe"
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:2936
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\System32\mstsc.exe"
      4⤵
      PID:5188
- - C:\Windows\SysWOW64\mtstocom.exe
    "C:\Windows\System32\mtstocom.exe"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\MuiUnattend.exe
    "C:\Windows\System32\MuiUnattend.exe"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\ndadmin.exe
    "C:\Windows\System32\ndadmin.exe"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe"
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1
      4⤵
      PID:4748
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\System32\netbtugc.exe"
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
    "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\netiougc.exe
    "C:\Windows\System32\netiougc.exe"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\Netplwiz.exe
    "C:\Windows\System32\Netplwiz.exe"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe"
    3⤵
    PID:560
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\System32\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:1620
- - C:\Windows\SysWOW64\newdev.exe
    "C:\Windows\System32\newdev.exe"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:460
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\System32\nslookup.exe"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\ntprint.exe
    "C:\Windows\System32\ntprint.exe"
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\odbcad32.exe
    "C:\Windows\System32\odbcad32.exe"
    3⤵
    PID:420
- - C:\Windows\SysWOW64\odbcconf.exe
    "C:\Windows\System32\odbcconf.exe"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\System32\OneDriveSetup.exe"
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 2388
      4⤵
      Program crash
      PID:6600
- - C:\Windows\SysWOW64\openfiles.exe
    "C:\Windows\System32\openfiles.exe"
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\OpenWith.exe
    "C:\Windows\System32\OpenWith.exe"
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\OposHost.exe
    "C:\Windows\System32\OposHost.exe"
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\PackagedCWALauncher.exe
    "C:\Windows\System32\PackagedCWALauncher.exe"
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
    "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\PATHPING.EXE
    "C:\Windows\System32\PATHPING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6332
- - C:\Windows\SysWOW64\pcaui.exe
    "C:\Windows\System32\pcaui.exe"
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\perfhost.exe
    "C:\Windows\System32\perfhost.exe"
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe"
    3⤵
    PID:6476
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
      4⤵
      PID:6488
- - C:\Windows\SysWOW64\PickerHost.exe
    "C:\Windows\System32\PickerHost.exe"
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6540
- - C:\Windows\SysWOW64\PkgMgr.exe
    "C:\Windows\System32\PkgMgr.exe"
    3⤵
    PID:6680
- - C:\Windows\SysWOW64\poqexec.exe
    "C:\Windows\System32\poqexec.exe"
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\System32\powercfg.exe"
    3⤵
    - Power Settings
    PID:6768
- - C:\Windows\SysWOW64\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\prevhost.exe
    "C:\Windows\System32\prevhost.exe"
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\print.exe
    "C:\Windows\System32\print.exe"
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\printui.exe
    "C:\Windows\System32\printui.exe"
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\proquota.exe
    "C:\Windows\System32\proquota.exe"
    3⤵
    PID:6988
- - C:\Windows\SysWOW64\provlaunch.exe
    "C:\Windows\System32\provlaunch.exe"
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\psr.exe
    "C:\Windows\System32\psr.exe"
    3⤵
    PID:7064
  - - C:\Windows\system32\psr.exe
      "C:\Windows\system32\psr.exe"
      4⤵
      PID:7108
- - C:\Windows\SysWOW64\quickassist.exe
    "C:\Windows\System32\quickassist.exe"
    3⤵
    PID:7124
- - C:\Windows\SysWOW64\rasautou.exe
    "C:\Windows\System32\rasautou.exe"
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\rasdial.exe
    "C:\Windows\System32\rasdial.exe"
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\raserver.exe
    "C:\Windows\System32\raserver.exe"
    3⤵
    PID:6312
- - C:\Windows\SysWOW64\rasphone.exe
    "C:\Windows\System32\rasphone.exe"
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\System32\RdpSa.exe"
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\RdpSaProxy.exe
    "C:\Windows\System32\RdpSaProxy.exe"
    3⤵
    PID:6428
  - - C:\Windows\SysWOW64\RdpSa.exe
      "C:\Windows\system32\RdpSa.exe"
      4⤵
      PID:6628
- - C:\Windows\SysWOW64\RdpSaUacHelper.exe
    "C:\Windows\System32\RdpSaUacHelper.exe"
    3⤵
    PID:6572
- - C:\Windows\SysWOW64\rdrleakdiag.exe
    "C:\Windows\System32\rdrleakdiag.exe"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\ReAgentc.exe
    "C:\Windows\System32\ReAgentc.exe"
    3⤵
    PID:6648
- - C:\Windows\SysWOW64\recover.exe
    "C:\Windows\System32\recover.exe"
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe"
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7088
- - C:\Windows\SysWOW64\regedt32.exe
    "C:\Windows\System32\regedt32.exe"
    3⤵
    PID:7160
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:6264
- - C:\Windows\SysWOW64\regini.exe
    "C:\Windows\System32\regini.exe"
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\Register-CimProvider.exe
    "C:\Windows\System32\Register-CimProvider.exe"
    3⤵
    PID:6464
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe"
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\rekeywiz.exe
    "C:\Windows\System32\rekeywiz.exe"
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\relog.exe
    "C:\Windows\System32\relog.exe"
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\replace.exe
    "C:\Windows\System32\replace.exe"
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\resmon.exe
    "C:\Windows\System32\resmon.exe"
    3⤵
    PID:7012
  - - C:\Windows\SysWOW64\perfmon.exe
      "C:\Windows\System32\perfmon.exe" /res
      4⤵
      PID:6740
- - C:\Windows\SysWOW64\RMActivate.exe
    "C:\Windows\System32\RMActivate.exe"
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\RMActivate_isv.exe
    "C:\Windows\System32\RMActivate_isv.exe"
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\RMActivate_ssp.exe
    "C:\Windows\System32\RMActivate_ssp.exe"
    3⤵
    PID:6296
- - C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
    "C:\Windows\System32\RMActivate_ssp_isv.exe"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\RmClient.exe
    "C:\Windows\System32\RmClient.exe"
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\Robocopy.exe
    "C:\Windows\System32\Robocopy.exe"
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\ROUTE.EXE
    "C:\Windows\System32\ROUTE.EXE"
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\RpcPing.exe
    "C:\Windows\System32\RpcPing.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6208
- - C:\Windows\SysWOW64\rrinstaller.exe
    "C:\Windows\System32\rrinstaller.exe"
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\runas.exe
    "C:\Windows\System32\runas.exe"
    3⤵
    - Access Token Manipulation: Create Process with Token
    PID:6732
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
    "C:\Windows\System32\RunLegacyCPLElevated.exe"
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\System32\runonce.exe"
    3⤵
    PID:7052
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe"
    3⤵
    - Launches sc.exe
    PID:3884
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe"
    3⤵
    PID:7080
- - C:\Windows\SysWOW64\sdbinst.exe
    "C:\Windows\System32\sdbinst.exe"
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\sdchange.exe
    "C:\Windows\System32\sdchange.exe"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\sdiagnhost.exe
    "C:\Windows\System32\sdiagnhost.exe"
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\SearchFilterHost.exe
    "C:\Windows\System32\SearchFilterHost.exe"
    3⤵
    PID:6304
- - C:\Windows\SysWOW64\SearchIndexer.exe
    "C:\Windows\System32\SearchIndexer.exe"
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\SearchProtocolHost.exe
    "C:\Windows\System32\SearchProtocolHost.exe"
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\SecEdit.exe
    "C:\Windows\System32\SecEdit.exe"
    3⤵
    PID:7024
- - C:\Windows\SysWOW64\secinit.exe
    "C:\Windows\System32\secinit.exe"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\sethc.exe
    "C:\Windows\System32\sethc.exe"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\setup16.exe
    "C:\Windows\System32\setup16.exe"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\setupugc.exe
    "C:\Windows\System32\setupugc.exe"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\setx.exe
    "C:\Windows\System32\setx.exe"
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\sfc.exe
    "C:\Windows\System32\sfc.exe"
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\shrpubw.exe
    "C:\Windows\System32\shrpubw.exe"
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\System32\shutdown.exe"
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\SndVol.exe
    "C:\Windows\System32\SndVol.exe"
    3⤵
    PID:6248
- - C:\Windows\SysWOW64\sort.exe
    "C:\Windows\System32\sort.exe"
    3⤵
    PID:480
- - C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe
    "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
    3⤵
    PID:6716
- - C:\Windows\SysWOW64\srdelayed.exe
    "C:\Windows\System32\srdelayed.exe"
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\stordiag.exe
    "C:\Windows\System32\stordiag.exe"
    3⤵
    PID:6712
  - - C:\Windows\SysWOW64\fltmc.exe
      "fltmc.exe" volumes
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\fltmc.exe
      "fltmc.exe" instances
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\fltmc.exe
      "fltmc.exe" filters
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /query /xml /tn Microsoft\Windows\Defrag\ScheduledDefrag
      4⤵
      PID:7064
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SYSTEM\CurrentControlSet\Control\FileSystem C:\Users\Admin\AppData\Local\Temp\StorDiag\FileSystem.reg.txt
      4⤵
      PID:8176
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318} C:\Users\Admin\AppData\Local\Temp\StorDiag\DiskDrive.reg.txt
      4⤵
      PID:7492
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{4d36e96a-e325-11ce-bfc1-08002be10318} C:\Users\Admin\AppData\Local\Temp\StorDiag\HDC.reg.txt
      4⤵
      PID:7312
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318} C:\Users\Admin\AppData\Local\Temp\StorDiag\SCSIAdapter.reg.txt
      4⤵
      PID:7336
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f} C:\Users\Admin\AppData\Local\Temp\StorDiag\Volume.reg.txt
      4⤵
      PID:8068
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318} C:\Users\Admin\AppData\Local\Temp\StorDiag\CDROM.reg.txt
      4⤵
      PID:7328
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{4d36e97d-e325-11ce-bfc1-08002be10318}\0031 C:\Users\Admin\AppData\Local\Temp\StorDiag\VolMgr.reg.txt
      4⤵
      PID:6920
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\CurrentControlSet\Control\Class\{533c5b84-ec70-11d2-9505-00c04f79deaf} C:\Users\Admin\AppData\Local\Temp\StorDiag\VolSnap.reg.txt
      4⤵
      PID:7496
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\System\MountedDevices C:\Users\Admin\AppData\Local\Temp\StorDiag\MountedDevices.reg.txt
      4⤵
      PID:7440
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\DiskSpaceChecking C:\Users\Admin\AppData\Local\Temp\StorDiag\DiskSpaceChecking.reg.txt
      4⤵
      PID:7432
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense C:\Users\Admin\AppData\Local\Temp\StorDiag\StorageSenseHKCU.reg.txt
      4⤵
      PID:7536
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense C:\Users\Admin\AppData\Local\Temp\StorDiag\StorageSenseHKLM.reg.txt
      4⤵
      PID:7664
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches C:\Users\Admin\AppData\Local\Temp\StorDiag\CleanupPlugins.reg.txt
      4⤵
      PID:7672
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath C:\Users\Admin\AppData\Local\Temp\StorDiag\DefragPath.reg.txt
      4⤵
      PID:7696
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Dfrg C:\Users\Admin\AppData\Local\Temp\StorDiag\DfrgStats.reg.txt
      4⤵
      PID:7756
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout C:\Users\Admin\AppData\Local\Temp\StorDiag\BootOptimization.reg.txt
      4⤵
      PID:7832
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks C:\Users\Admin\AppData\Local\Temp\StorDiag\NoLowDiskSpaceChecks.reg.txt
      4⤵
      PID:7556
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Backup" C:\Users\Admin\AppData\Local\Temp\StorDiag\ShellBackupFolder.reg.txt
      4⤵
      PID:7652
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager C:\Users\Admin\AppData\Local\Temp\StorDiag\SyncRootManager.reg.txt
      4⤵
      PID:7236
- - C:\Windows\SysWOW64\subst.exe
    "C:\Windows\System32\subst.exe"
    3⤵
    PID:6728
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:6920
- - C:\Windows\SysWOW64\sxstrace.exe
    "C:\Windows\System32\sxstrace.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\SyncHost.exe
    "C:\Windows\System32\SyncHost.exe"
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\systeminfo.exe
    "C:\Windows\System32\systeminfo.exe"
    3⤵
    - Gathers system information
    PID:6952
- - C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe
    "C:\Windows\System32\SystemPropertiesAdvanced.exe"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\SystemPropertiesComputerName.exe
    "C:\Windows\System32\SystemPropertiesComputerName.exe"
    3⤵
    PID:7136
- - C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe
    "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
    3⤵
    PID:6796
- - C:\Windows\SysWOW64\SystemPropertiesHardware.exe
    "C:\Windows\System32\SystemPropertiesHardware.exe"
    3⤵
    PID:6216
- - C:\Windows\SysWOW64\SystemPropertiesPerformance.exe
    "C:\Windows\System32\SystemPropertiesPerformance.exe"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\SystemPropertiesProtection.exe
    "C:\Windows\System32\SystemPropertiesProtection.exe"
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\SystemPropertiesRemote.exe
    "C:\Windows\System32\SystemPropertiesRemote.exe"
    3⤵
    PID:6356
- - C:\Windows\SysWOW64\SystemUWPLauncher.exe
    "C:\Windows\System32\SystemUWPLauncher.exe"
    3⤵
    PID:6716
- - C:\Windows\SysWOW64\systray.exe
    "C:\Windows\System32\systray.exe"
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\System32\takeown.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1652
- - C:\Windows\SysWOW64\TapiUnattend.exe
    "C:\Windows\System32\TapiUnattend.exe"
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\tar.exe
    "C:\Windows\System32\tar.exe"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe"
    3⤵
    - Kills process with taskkill
    PID:6832
- - C:\Windows\SysWOW64\tasklist.exe
    "C:\Windows\System32\tasklist.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
    C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe "C:\Windows\System32\Taskmgr.exe"
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\tcmsetup.exe
    "C:\Windows\System32\tcmsetup.exe"
    3⤵
    PID:6572
- - C:\Windows\SysWOW64\TCPSVCS.EXE
    "C:\Windows\System32\TCPSVCS.EXE"
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\ThumbnailExtractionHost.exe
    "C:\Windows\System32\ThumbnailExtractionHost.exe"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\timeout.exe
    "C:\Windows\System32\timeout.exe"
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\SysWOW64\TokenBrokerCookies.exe
    "C:\Windows\System32\TokenBrokerCookies.exe"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\TpmInit.exe
    "C:\Windows\System32\TpmInit.exe"
    3⤵
    PID:6376
- - C:\Windows\SysWOW64\TpmTool.exe
    "C:\Windows\System32\TpmTool.exe"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\tracerpt.exe
    "C:\Windows\System32\tracerpt.exe"
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\TRACERT.EXE
    "C:\Windows\System32\TRACERT.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6356
- - C:\Windows\SysWOW64\TSTheme.exe
    "C:\Windows\System32\TSTheme.exe"
    3⤵
    PID:6660
- - C:\Windows\SysWOW64\TsWpfWrp.exe
    "C:\Windows\System32\TsWpfWrp.exe"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\ttdinject.exe
    "C:\Windows\System32\ttdinject.exe"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\tttracer.exe
    "C:\Windows\System32\tttracer.exe"
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\typeperf.exe
    "C:\Windows\System32\typeperf.exe"
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\tzutil.exe
    "C:\Windows\System32\tzutil.exe"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\System32\unlodctr.exe"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe"
    3⤵
    PID:6988
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /REENTRANT
      4⤵
      PID:7072
- - C:\Windows\SysWOW64\upnpcont.exe
    "C:\Windows\System32\upnpcont.exe"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\user.exe
    "C:\Windows\System32\user.exe"
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\UserAccountBroker.exe
    "C:\Windows\System32\UserAccountBroker.exe"
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\UserAccountControlSettings.exe
    "C:\Windows\System32\UserAccountControlSettings.exe"
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\userinit.exe
    "C:\Windows\System32\userinit.exe"
    3⤵
    PID:6608
  - - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
      C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe C:\Windows\Explorer.EXE
      4⤵
      PID:3716
- - C:\Windows\SysWOW64\Utilman.exe
    "C:\Windows\System32\Utilman.exe"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\verclsid.exe
    "C:\Windows\System32\verclsid.exe"
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\verifiergui.exe
    "C:\Windows\System32\verifiergui.exe"
    3⤵
    PID:7216
- - C:\Windows\SysWOW64\w32tm.exe
    "C:\Windows\System32\w32tm.exe"
    3⤵
    PID:7308
  - - C:\Windows\system32\w32tm.exe
      "C:\Windows\System32\w32tm.exe"
      4⤵
      PID:7396
- - C:\Windows\SysWOW64\waitfor.exe
    "C:\Windows\System32\waitfor.exe"
    3⤵
    PID:7408
- - C:\Windows\SysWOW64\wecutil.exe
    "C:\Windows\System32\wecutil.exe"
    3⤵
    PID:7484
- - C:\Windows\SysWOW64\WerFault.exe
    "C:\Windows\System32\WerFault.exe"
    3⤵
    PID:7592
- - C:\Windows\SysWOW64\WerFaultSecure.exe
    "C:\Windows\System32\WerFaultSecure.exe"
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\System32\wermgr.exe"
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\wevtutil.exe
    "C:\Windows\System32\wevtutil.exe"
    3⤵
    PID:7792
- - C:\Windows\SysWOW64\wextract.exe
    "C:\Windows\System32\wextract.exe"
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\where.exe
    "C:\Windows\System32\where.exe"
    3⤵
    PID:7892
- - C:\Windows\SysWOW64\whoami.exe
    "C:\Windows\System32\whoami.exe"
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\wiaacmgr.exe
    "C:\Windows\System32\wiaacmgr.exe"
    3⤵
    PID:8024
- - C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe
    "C:\Windows\System32\Windows.Media.BackgroundPlayback.exe"
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\Windows.WARP.JITService.exe
    "C:\Windows\System32\Windows.WARP.JITService.exe"
    3⤵
    PID:8176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 212
      4⤵
      Program crash
      PID:7228
- - C:\Windows\SysWOW64\winrs.exe
    "C:\Windows\System32\winrs.exe"
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\winrshost.exe
    "C:\Windows\System32\winrshost.exe"
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe
    "C:\Windows\System32\WinRTNetMUAHostServer.exe"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\winver.exe
    "C:\Windows\System32\winver.exe"
    3⤵
    PID:7648
- - C:\Windows\SysWOW64\wlanext.exe
    "C:\Windows\System32\wlanext.exe"
    3⤵
    PID:7796
- - C:\Windows\SysWOW64\wowreg32.exe
    "C:\Windows\System32\wowreg32.exe"
    3⤵
    PID:7268
- - C:\Windows\SysWOW64\WPDShextAutoplay.exe
    "C:\Windows\System32\WPDShextAutoplay.exe"
    3⤵
    PID:8028
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:5368
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:8080
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe"
    3⤵
    PID:7248
- - C:\Windows\SysWOW64\WSManHTTPConfig.exe
    "C:\Windows\System32\WSManHTTPConfig.exe"
    3⤵
    PID:7764
- - C:\Windows\SysWOW64\wsmprovhost.exe
    "C:\Windows\System32\wsmprovhost.exe"
    3⤵
    PID:7280
- - C:\Windows\SysWOW64\wusa.exe
    "C:\Windows\System32\wusa.exe"
    3⤵
    PID:7320
- - C:\Windows\SysWOW64\WWAHost.exe
    "C:\Windows\System32\WWAHost.exe"
    3⤵
    PID:7384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 396
      4⤵
      Program crash
      PID:6988
- - C:\Windows\SysWOW64\xcopy.exe
    "C:\Windows\System32\xcopy.exe"
    3⤵
    PID:7440
- - C:\Windows\SysWOW64\xwizard.exe
    "C:\Windows\System32\xwizard.exe"
    3⤵
    PID:7740
- - C:\Windows\SysWOW64\agentactivationruntimestarter.exe
    "C:\Windows\System32\agentactivationruntimestarter.exe"
    3⤵
    PID:7796
- - C:\Windows\SysWOW64\appidtel.exe
    "C:\Windows\System32\appidtel.exe"
    3⤵
    PID:7832
- - C:\Windows\SysWOW64\ARP.EXE
    "C:\Windows\System32\ARP.EXE"
    3⤵
    PID:7916
- - C:\Windows\SysWOW64\at.exe
    "C:\Windows\System32\at.exe"
    3⤵
    PID:7348
- - C:\Windows\SysWOW64\AtBroker.exe
    "C:\Windows\System32\AtBroker.exe"
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\Magnify.exe
      "C:\Windows\System32\Magnify.exe"
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe"
    3⤵
    - Views/modifies file attributes
    PID:2112
- - C:\Windows\SysWOW64\auditpol.exe
    "C:\Windows\System32\auditpol.exe"
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\autochk.exe
    "C:\Windows\System32\autochk.exe"
    3⤵
    PID:7244
- - C:\Windows\SysWOW64\backgroundTaskHost.exe
    "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\BackgroundTransferHost.exe
    "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    PID:7372
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe"
    3⤵
    PID:7384
- - C:\Windows\SysWOW64\bthudtask.exe
    "C:\Windows\System32\bthudtask.exe"
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\ByteCodeGenerator.exe
    "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    PID:7676
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe"
    3⤵
    PID:7696
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\System32\calc.exe"
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\CameraSettingsUIHost.exe
    "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    PID:7956
- - C:\Windows\SysWOW64\CertEnrollCtrl.exe
    "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\certreq.exe
    "C:\Windows\System32\certreq.exe"
    3⤵
    PID:7988
- - C:\Windows\SysWOW64\certutil.exe
    "C:\Windows\System32\certutil.exe"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\charmap.exe
    "C:\Windows\System32\charmap.exe"
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\CheckNetIsolation.exe
    "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\chkdsk.exe
    "C:\Windows\System32\chkdsk.exe"
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\chkntfs.exe
    "C:\Windows\System32\chkntfs.exe"
    3⤵
    PID:7352
- - C:\Windows\SysWOW64\choice.exe
    "C:\Windows\System32\choice.exe"
    3⤵
    PID:8056
- - C:\Windows\SysWOW64\cipher.exe
    "C:\Windows\System32\cipher.exe"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\cleanmgr.exe
    "C:\Windows\System32\cleanmgr.exe"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cliconfg.exe
    "C:\Windows\System32\cliconfg.exe"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\System32\clip.exe"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\CloudNotifications.exe
    "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    PID:7788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\cmdkey.exe
    "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:7524
- - C:\Windows\SysWOW64\cmdl32.exe
    "C:\Windows\System32\cmdl32.exe"
    3⤵
    PID:7560
- - C:\Windows\SysWOW64\cmmon32.exe
    "C:\Windows\System32\cmmon32.exe"
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\System32\cmstp.exe"
    3⤵
    PID:7552
- - C:\Windows\SysWOW64\colorcpl.exe
    "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:7936
- - C:\Windows\SysWOW64\comp.exe
    "C:\Windows\System32\comp.exe"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\compact.exe
    "C:\Windows\System32\compact.exe"
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:7420
- - C:\Windows\SysWOW64\convert.exe
    "C:\Windows\System32\convert.exe"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\CredentialUIBroker.exe
    "C:\Windows\System32\CredentialUIBroker.exe"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\credwiz.exe
    "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:7336
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe"
    3⤵
    PID:7460
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\System32\ctfmon.exe"
    3⤵
    PID:7504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 728
      4⤵
      Program crash
      PID:7612
- - C:\Windows\SysWOW64\cttune.exe
    "C:\Windows\System32\cttune.exe"
    3⤵
    PID:7260
- - C:\Windows\SysWOW64\cttunesvr.exe
    "C:\Windows\System32\cttunesvr.exe"
    3⤵
    PID:7392
- - C:\Windows\SysWOW64\curl.exe
    "C:\Windows\System32\curl.exe"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\dccw.exe
    "C:\Windows\System32\dccw.exe"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\dcomcnfg.exe
    "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    PID:1156
  - - C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
      4⤵
      PID:6948
- - C:\Windows\SysWOW64\ddodiag.exe
    "C:\Windows\System32\ddodiag.exe"
    3⤵
    PID:7640
- - C:\Windows\SysWOW64\DevicePairingWizard.exe
    "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\dfrgui.exe
    "C:\Windows\System32\dfrgui.exe"
    3⤵
    PID:7844
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\System32\dialer.exe"
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\diskpart.exe
    "C:\Windows\System32\diskpart.exe"
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\System32\diskperf.exe"
    3⤵
    PID:7960
- - C:\Windows\SysWOW64\diskusage.exe
    "C:\Windows\System32\diskusage.exe"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\Dism.exe
    "C:\Windows\System32\Dism.exe"
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\dllhost.exe
    "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\dllhst3g.exe
    "C:\Windows\System32\dllhst3g.exe"
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\doskey.exe
    "C:\Windows\System32\doskey.exe"
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\dpapimig.exe
    "C:\Windows\System32\dpapimig.exe"
    3⤵
    PID:7316
- - C:\Windows\SysWOW64\DpiScaling.exe
    "C:\Windows\System32\DpiScaling.exe"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\driverquery.exe
    "C:\Windows\System32\driverquery.exe"
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\dtdump.exe
    "C:\Windows\System32\dtdump.exe"
    3⤵
    PID:7836
- - C:\Windows\SysWOW64\dvdplay.exe
    "C:\Windows\System32\dvdplay.exe"
    3⤵
    PID:6748
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      /device:dvd
      4⤵
      PID:6904
- - C:\Windows\SysWOW64\DWWIN.EXE
    "C:\Windows\System32\DWWIN.EXE"
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\System32\dxdiag.exe"
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\EaseOfAccessDialog.exe
    "C:\Windows\System32\EaseOfAccessDialog.exe"
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\edpnotify.exe
    "C:\Windows\System32\edpnotify.exe"
    3⤵
    PID:7284
- - C:\Windows\SysWOW64\efsui.exe
    "C:\Windows\System32\efsui.exe"
    3⤵
    PID:8184
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\esentutl.exe
    "C:\Windows\System32\esentutl.exe"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\eudcedit.exe
    "C:\Windows\System32\eudcedit.exe"
    3⤵
    PID:7236
- - C:\Windows\SysWOW64\eventcreate.exe
    "C:\Windows\System32\eventcreate.exe"
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\eventvwr.exe
    "C:\Windows\System32\eventvwr.exe"
    3⤵
    PID:4496
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
      4⤵
      PID:5916
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
        5⤵
        
        PID:7752
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe"
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
    C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe "C:\Windows\System32\explorer.exe"
    3⤵
    PID:8120
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\System32\extrac32.exe"
    3⤵
    PID:7836
- - C:\Windows\SysWOW64\fc.exe
    "C:\Windows\System32\fc.exe"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\find.exe
    "C:\Windows\System32\find.exe"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\findstr.exe
    "C:\Windows\System32\findstr.exe"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\finger.exe
    "C:\Windows\System32\finger.exe"
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\fixmapi.exe
    "C:\Windows\System32\fixmapi.exe"
    3⤵
    PID:7200
- - C:\Windows\SysWOW64\fltMC.exe
    "C:\Windows\System32\fltMC.exe"
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\Fondue.exe
    "C:\Windows\System32\Fondue.exe"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\fontview.exe
    "C:\Windows\System32\fontview.exe"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe"
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "240436ed-8fd0-4336-81e7-f0394a7c0838.tmp"
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "6fd75da541f0493990717c56c72665b3.exe"
      4⤵
      PID:6776
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "74c6e07ee1f544bb962fd0c483b25fdb.exe"
      4⤵
      PID:7844
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "76b83be2029547c996fd60d5c1bb3a0a.exe"
      4⤵
      PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "910703136"
      4⤵
      PID:5468
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "acrocef_low"
      4⤵
      PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "AdobeSFX.log"
      4⤵
      PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      /c echo "aria-debug-3804.log"
      4⤵
      PID:6700
- - C:\Windows\SysWOW64\fsquirt.exe
    "C:\Windows\System32\fsquirt.exe"
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\fsutil.exe
    "C:\Windows\System32\fsutil.exe"
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ftp://ftp.exe/
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\GamePanel.exe
    "C:\Windows\System32\GamePanel.exe"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\getmac.exe
    "C:\Windows\System32\getmac.exe"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\gpresult.exe
    "C:\Windows\System32\gpresult.exe"
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\gpscript.exe
    "C:\Windows\System32\gpscript.exe"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\gpupdate.exe
    "C:\Windows\System32\gpupdate.exe"
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\grpconv.exe
    "C:\Windows\System32\grpconv.exe"
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\hdwwiz.exe
    "C:\Windows\System32\hdwwiz.exe"
    3⤵
    PID:7948
- - C:\Windows\SysWOW64\help.exe
    "C:\Windows\System32\help.exe"
    3⤵
    PID:6592
- - C:\Windows\SysWOW64\hh.exe
    "C:\Windows\System32\hh.exe"
    3⤵
    PID:7736
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    "C:\Windows\System32\HOSTNAME.EXE"
    3⤵
    PID:6748
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:7756
- - C:\Windows\SysWOW64\icsunattend.exe
    "C:\Windows\System32\icsunattend.exe"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\ieUnatt.exe
    "C:\Windows\System32\ieUnatt.exe"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\iexpress.exe
    "C:\Windows\System32\iexpress.exe"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\InfDefaultInstall.exe
    "C:\Windows\System32\InfDefaultInstall.exe"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\InputSwitchToastHandler.exe
    "C:\Windows\System32\InputSwitchToastHandler.exe"
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\instnm.exe
    "C:\Windows\System32\instnm.exe"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe"
    3⤵
    - Gathers network information
    PID:7632
- - C:\Windows\SysWOW64\iscsicli.exe
    "C:\Windows\System32\iscsicli.exe"
    3⤵
    PID:7200
- - C:\Windows\SysWOW64\iscsicpl.exe
    "C:\Windows\System32\iscsicpl.exe"
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\System32\isoburn.exe"
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\ktmutil.exe
    "C:\Windows\System32\ktmutil.exe"
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\label.exe
    "C:\Windows\System32\label.exe"
    3⤵
    PID:7736
- - C:\Windows\SysWOW64\LaunchTM.exe
    "C:\Windows\System32\LaunchTM.exe"
    3⤵
    PID:5468
  - - C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
      C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe "C:\Windows\System32\Taskmgr.exe"
      4⤵
      PID:5452
- - C:\Windows\SysWOW64\LaunchWinApp.exe
    "C:\Windows\System32\LaunchWinApp.exe"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\System32\lodctr.exe"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\logagent.exe
    "C:\Windows\System32\logagent.exe"
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\logman.exe
    "C:\Windows\System32\logman.exe"
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\Magnify.exe
    "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\makecab.exe
    "C:\Windows\System32\makecab.exe"
    3⤵
    PID:6428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5436
- - C:\Windows\SysWOW64\mavinject.exe
    "C:\Windows\System32\mavinject.exe"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\mcbuilder.exe
    "C:\Windows\System32\mcbuilder.exe"
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\mfpmp.exe
    "C:\Windows\System32\mfpmp.exe"
    3⤵
    PID:7656
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:3652
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      PID:5500
- - C:\Windows\SysWOW64\mmgaserver.exe
    "C:\Windows\System32\mmgaserver.exe"
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\mobsync.exe
    "C:\Windows\System32\mobsync.exe"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\mountvol.exe
    "C:\Windows\System32\mountvol.exe"
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\MRINFO.EXE
    "C:\Windows\System32\MRINFO.EXE"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\msdt.exe
    "C:\Windows\System32\msdt.exe"
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\msfeedssync.exe
    "C:\Windows\System32\msfeedssync.exe"
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe"
    3⤵
    PID:7968
- - C:\Windows\SysWOW64\msinfo32.exe
    "C:\Windows\System32\msinfo32.exe"
    3⤵
    PID:8184
- - C:\Windows\SysWOW64\msra.exe
    "C:\Windows\System32\msra.exe"
    3⤵
    PID:4616
  - - C:\Windows\system32\msra.exe
      "C:\Windows\system32\msra.exe"
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:6064
  - - C:\Windows\system32\mstsc.exe
      "C:\Windows\System32\mstsc.exe"
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\mtstocom.exe
    "C:\Windows\System32\mtstocom.exe"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\MuiUnattend.exe
    "C:\Windows\System32\MuiUnattend.exe"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\ndadmin.exe
    "C:\Windows\System32\ndadmin.exe"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe"
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1
      4⤵
      PID:6824
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\System32\net1.exe"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\netbtugc.exe
    "C:\Windows\System32\netbtugc.exe"
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
    "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\netiougc.exe
    "C:\Windows\System32\netiougc.exe"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\Netplwiz.exe
    "C:\Windows\System32\Netplwiz.exe"
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\System32\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:2812
- - C:\Windows\SysWOW64\newdev.exe
    "C:\Windows\System32\newdev.exe"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\System32\nslookup.exe"
    3⤵
    PID:648
- - C:\Windows\SysWOW64\ntprint.exe
    "C:\Windows\System32\ntprint.exe"
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\odbcad32.exe
    "C:\Windows\System32\odbcad32.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\odbcconf.exe
    "C:\Windows\System32\odbcconf.exe"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\System32\OneDriveSetup.exe"
    3⤵
    PID:3808
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-3920535620-1286624088-2946613906-1000
      4⤵
      PID:7328
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
      4⤵
      PID:6344
- - C:\Windows\SysWOW64\openfiles.exe
    "C:\Windows\System32\openfiles.exe"
    3⤵
    PID:6776
- - C:\Windows\SysWOW64\OpenWith.exe
    "C:\Windows\System32\OpenWith.exe"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\OposHost.exe
    "C:\Windows\System32\OposHost.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\PackagedCWALauncher.exe
    "C:\Windows\System32\PackagedCWALauncher.exe"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
    "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\PATHPING.EXE
    "C:\Windows\System32\PATHPING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4272
- - C:\Windows\SysWOW64\pcaui.exe
    "C:\Windows\System32\pcaui.exe"
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\perfhost.exe
    "C:\Windows\System32\perfhost.exe"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\perfmon.exe
    "C:\Windows\System32\perfmon.exe"
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
      4⤵
      PID:4068
- - C:\Windows\SysWOW64\PickerHost.exe
    "C:\Windows\System32\PickerHost.exe"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4612
- - C:\Windows\SysWOW64\PkgMgr.exe
    "C:\Windows\System32\PkgMgr.exe"
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\poqexec.exe
    "C:\Windows\System32\poqexec.exe"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\System32\powercfg.exe"
    3⤵
    - Power Settings
    PID:2432
- - C:\Windows\SysWOW64\PresentationHost.exe
    "C:\Windows\System32\PresentationHost.exe"
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\prevhost.exe
    "C:\Windows\System32\prevhost.exe"
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\print.exe
    "C:\Windows\System32\print.exe"
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\printui.exe
    "C:\Windows\System32\printui.exe"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\proquota.exe
    "C:\Windows\System32\proquota.exe"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\provlaunch.exe
    "C:\Windows\System32\provlaunch.exe"
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\psr.exe
    "C:\Windows\System32\psr.exe"
    3⤵
    PID:5148
  - - C:\Windows\system32\psr.exe
      "C:\Windows\system32\psr.exe"
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\quickassist.exe
    "C:\Windows\System32\quickassist.exe"
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\rasautou.exe
    "C:\Windows\System32\rasautou.exe"
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\rasdial.exe
    "C:\Windows\System32\rasdial.exe"
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\raserver.exe
    "C:\Windows\System32\raserver.exe"
    3⤵
    PID:7676
- - C:\Windows\SysWOW64\rasphone.exe
    "C:\Windows\System32\rasphone.exe"
    3⤵
    PID:392
- - C:\Windows\SysWOW64\RdpSa.exe
    "C:\Windows\System32\RdpSa.exe"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\RdpSaProxy.exe
    "C:\Windows\System32\RdpSaProxy.exe"
    3⤵
    PID:7200
  - - C:\Windows\SysWOW64\RdpSa.exe
      "C:\Windows\system32\RdpSa.exe"
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\RdpSaUacHelper.exe
    "C:\Windows\System32\RdpSaUacHelper.exe"
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\rdrleakdiag.exe
    "C:\Windows\System32\rdrleakdiag.exe"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\ReAgentc.exe
    "C:\Windows\System32\ReAgentc.exe"
    3⤵
    PID:7848
- - C:\Windows\SysWOW64\recover.exe
    "C:\Windows\System32\recover.exe"
    3⤵
    PID:7324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe"
    3⤵
    PID:6172
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:7448
- - C:\Windows\SysWOW64\regedt32.exe
    "C:\Windows\System32\regedt32.exe"
    3⤵
    PID:5696
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe"
      4⤵
      Runs regedit.exe
      PID:7324
- - C:\Windows\SysWOW64\regini.exe
    "C:\Windows\System32\regini.exe"
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\Register-CimProvider.exe
    "C:\Windows\System32\Register-CimProvider.exe"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe"
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\rekeywiz.exe
    "C:\Windows\System32\rekeywiz.exe"
    3⤵
    PID:7288
- - C:\Windows\SysWOW64\relog.exe
    "C:\Windows\System32\relog.exe"
    3⤵
    PID:6064
- C:\Users\Admin\AppData\Local\Temp\b1bfaf55f930427fadc2c75873c56404.exe
  "C:\Users\Admin\AppData\Local\Temp\b1bfaf55f930427fadc2c75873c56404.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol a: /d
    3⤵
    PID:7472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol b: /d
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol c: /d
    3⤵
    PID:7572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol d: /d
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol e: /d
    3⤵
    PID:7692
- C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
  "C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe"
  2⤵
  - UAC bypass
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\edc50bba4d6849cbb916a3ed883fb8c8.exe
  "C:\Users\Admin\AppData\Local\Temp\edc50bba4d6849cbb916a3ed883fb8c8.exe"
  2⤵
  PID:5048
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3CDD.tmp\3CDE.bat C:\Users\Admin\AppData\Local\Temp\edc50bba4d6849cbb916a3ed883fb8c8.exe"
    3⤵
    PID:6676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:4492

C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:6100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe
C:\Users\Admin\AppData\Local\Temp\76b83be2029547c996fd60d5c1bb3a0a.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 776 -ip 776
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4676
- C:\Windows\system32\dashost.exe
  dashost.exe {a01b7d69-3501-46b0-a1f9d1709f512e65}
  2⤵
  PID:5984
- C:\Windows\system32\dashost.exe
  dashost.exe {c685448c-2f28-4ae7-bebf0be5704a31cb}
  2⤵
  PID:5736
- C:\Windows\system32\dashost.exe
  dashost.exe {281559bc-bd2c-4c1d-890b589d761af5c8}
  2⤵
  PID:3092
- C:\Windows\system32\dashost.exe
  dashost.exe {72f5c041-ff57-47f4-9aca28aae30d6e59}
  2⤵
  PID:7748
- C:\Windows\system32\dashost.exe
  dashost.exe {db428637-5282-42bd-95c6652a6428225c}
  2⤵
  PID:7916
- C:\Windows\system32\dashost.exe
  dashost.exe {43b2ba5d-8f29-4d0c-bd1f6545171c3517}
  2⤵
  PID:2460
- C:\Windows\system32\dashost.exe
  dashost.exe {6a11702f-f22d-4b2d-94e769fcea010fad}
  2⤵
  PID:5248
- C:\Windows\system32\dashost.exe
  dashost.exe {540a48b8-a30e-4ae8-80d37c88ad4b2ccf}
  2⤵
  PID:3488
- C:\Windows\system32\dashost.exe
  dashost.exe {8135d0af-6d01-4b39-86daebe6ec7732e7}
  2⤵
  PID:4776
- C:\Windows\system32\dashost.exe
  dashost.exe {9c7fbfba-4e18-4378-aa913ee4c43339bf}
  2⤵
  PID:6076

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:3112

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3804 -ip 3804
1⤵
PID:6504

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:6272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}
1⤵
PID:5044

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:7208

C:\Windows\SysWOW64\wiaacmgr.exe
C:\Windows\SysWOW64\wiaacmgr.exe -Embedding
1⤵
PID:8052

C:\Windows\System32\wiawow64.exe
C:\Windows\System32\wiawow64.exe -Embedding
1⤵
PID:8184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8176 -ip 8176
1⤵
PID:7196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:7620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 7384 -ip 7384
1⤵
PID:7312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7504 -ip 7504
1⤵
PID:7424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:7348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:5048

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:6784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6628 -ip 6628
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3244 -ip 3244
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5676 -ip 5676
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6360 -ip 6360
1⤵
PID:6272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery