dcrat | 61863e7d60ce62d9f81bd9a138e1fcd3f0a4344340c2f9922908719a737dbb5d

Analysis

max time kernel
77s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanAlphaCrack.exe
Size

3.4MB
MD5

833fa3b83aa9acbef18b37d69f775b30
SHA1

0d8bd9fef095137b5e879fb6a93b1b0bf17e5cb6
SHA256

61863e7d60ce62d9f81bd9a138e1fcd3f0a4344340c2f9922908719a737dbb5d
SHA512

4e4beba0fa0b32a3d9c386c53471b9f6634715543a639926c5a1b7e7137f70ac27cda146dca120b5ebba40ac592f4b0f2dcfb85964d2c9151c4b641bee044c87
SSDEEP

49152:vMpBCM5f3l+R7eTma4aSE3U3WoalKVnZK0FImmOhJe8DbRhf1+ljL3BPhbIscphW:vMp8MBV+R7QKBralse+Lf8bIxwHw1DI

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2940	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2940	schtasks.exe	78

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000c000000015635-6.dat	dcrat
behavioral1/files/0x002b000000018f84-12.dat	dcrat
behavioral1/files/0x0006000000018fa0-59.dat	dcrat
behavioral1/memory/976-63-0x00000000011F0000-0x00000000014A6000-memory.dmp	dcrat
behavioral1/files/0x0009000000018fa2-94.dat	dcrat
behavioral1/memory/2060-97-0x0000000000C20000-0x0000000000CF6000-memory.dmp	dcrat
behavioral1/memory/2672-145-0x0000000000310000-0x00000000003E6000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2212	RuntimeBroker.exe
2860	Windows Driver Foundation.exe
1984	RuntimeBroker.exe
3056	Windows Driver Foundation.exe
664	RuntimeBroker.exe
2340	Windows Driver Foundation.exe
976	portproviderperf.exe
2188	RuntimeBroker.exe
2108	Windows Driver Foundation.exe
2244	portproviderperf.exe
1520	portproviderperf.exe
612	RuntimeBroker.exe
2348	Windows Driver Foundation.exe
2060	bridgecontainerRef.exe
2504	bridgecontainerRef.exe
2776	portproviderperf.exe
2732	RuntimeBroker.exe
632	Windows Driver Foundation.exe
2708	bridgecontainerRef.exe
924	portproviderperf.exe
2332	RuntimeBroker.exe
2624	Windows Driver Foundation.exe
2672	lsass.exe
2928	bridgecontainerRef.exe
2212	portproviderperf.exe
2488	RuntimeBroker.exe
1616	Windows Driver Foundation.exe
456	bridgecontainerRef.exe
2564	portproviderperf.exe
1348	RuntimeBroker.exe
1520	Windows Driver Foundation.exe
3060	bridgecontainerRef.exe
1756	portproviderperf.exe
2512	RuntimeBroker.exe
1052	Windows Driver Foundation.exe
2368	bridgecontainerRef.exe
1504	portproviderperf.exe
2860	RuntimeBroker.exe
1740	Windows Driver Foundation.exe
2504	portproviderperf.exe
584	bridgecontainerRef.exe
2376	RuntimeBroker.exe
1512	Windows Driver Foundation.exe
1052	bridgecontainerRef.exe
2076	portproviderperf.exe
2932	RuntimeBroker.exe
2668	Windows Driver Foundation.exe
1444	bridgecontainerRef.exe
952	portproviderperf.exe
368	RuntimeBroker.exe
2220	Windows Driver Foundation.exe
1808	bridgecontainerRef.exe
2304	portproviderperf.exe
2476	RuntimeBroker.exe
1692	Windows Driver Foundation.exe
2196	bridgecontainerRef.exe
2176	portproviderperf.exe
1588	RuntimeBroker.exe
1560	Windows Driver Foundation.exe
2100	bridgecontainerRef.exe
2976	portproviderperf.exe
2488	RuntimeBroker.exe
2784	Windows Driver Foundation.exe
1552	bridgecontainerRef.exe

Loads dropped DLL 62 IoCs

pid	Process
432	cmd.exe
432	cmd.exe
2272	cmd.exe
1976	cmd.exe
996	cmd.exe
996	cmd.exe
1604	cmd.exe
2548	cmd.exe
1428	cmd.exe
796	cmd.exe
2068	cmd.exe
1680	cmd.exe
2416	cmd.exe
2996	cmd.exe
2264	cmd.exe
572	cmd.exe
1800	cmd.exe
2696	cmd.exe
2880	cmd.exe
1260	cmd.exe
2244	cmd.exe
1628	cmd.exe
548	cmd.exe
1592	cmd.exe
3044	cmd.exe
2676	cmd.exe
2092	cmd.exe
552	cmd.exe
1048	cmd.exe
2636	cmd.exe
1348	cmd.exe
1732	cmd.exe
1096	cmd.exe
2204	cmd.exe
2660	cmd.exe
1500	cmd.exe
2056	cmd.exe
888	cmd.exe
2224	cmd.exe
1680	cmd.exe
1376	cmd.exe
2548	cmd.exe
2148	cmd.exe
1692	cmd.exe
3048	cmd.exe
1608	cmd.exe
1828	cmd.exe
2404	cmd.exe
2980	cmd.exe
2896	cmd.exe
2556	cmd.exe
1932	cmd.exe
2092	cmd.exe
2548	cmd.exe
2524	cmd.exe
2568	cmd.exe
2716	cmd.exe
1808	cmd.exe
1296	cmd.exe
2656	cmd.exe
2972	cmd.exe
1308	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\69ddcba757bf72	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Google\Temp\bridgecontainerRef.exe	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Google\Temp\a13b180287ec0f	bridgecontainerRef.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\smss.exe	bridgecontainerRef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry key 1 TTPs 60 IoCs

Modify Registry

T1112

pid	Process
2692	reg.exe
2488	reg.exe
2028	reg.exe
2352	reg.exe
2892	reg.exe
1172	reg.exe
968	reg.exe
2076	reg.exe
2276	reg.exe
2652	reg.exe
2600	reg.exe
2144	reg.exe
1316	reg.exe
1052	reg.exe
1948	reg.exe
2396	reg.exe
2760	reg.exe
2300	reg.exe
2112	reg.exe
1744	reg.exe
3028	reg.exe
2688	reg.exe
3000	reg.exe
2512	reg.exe
2852	reg.exe
2364	reg.exe
2788	reg.exe
1264	reg.exe
2140	reg.exe
960	reg.exe
2288	reg.exe
320	reg.exe
2196	reg.exe
2768	reg.exe
2812	reg.exe
552	reg.exe
1992	reg.exe
2216	reg.exe
824	reg.exe
368	reg.exe
896	reg.exe
2932	reg.exe
640	reg.exe
2308	reg.exe
2684	reg.exe
876	reg.exe
472	reg.exe
2356	reg.exe
2708	reg.exe
2104	reg.exe
1568	reg.exe
952	reg.exe
2624	reg.exe
1740	reg.exe
1696	reg.exe
2164	reg.exe
1096	reg.exe
768	reg.exe
2104	reg.exe
2632	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1812	schtasks.exe
3012	schtasks.exe
2176	schtasks.exe
2012	schtasks.exe
2188	schtasks.exe
2304	schtasks.exe
1916	schtasks.exe
692	schtasks.exe
2664	schtasks.exe
2764	schtasks.exe
1268	schtasks.exe
2148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2060	bridgecontainerRef.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	portproviderperf.exe
Token: SeDebugPrivilege	1520	portproviderperf.exe
Token: SeDebugPrivilege	976	portproviderperf.exe
Token: SeDebugPrivilege	2060	bridgecontainerRef.exe
Token: SeDebugPrivilege	2504	bridgecontainerRef.exe
Token: SeDebugPrivilege	2776	portproviderperf.exe
Token: SeDebugPrivilege	2708	bridgecontainerRef.exe
Token: SeDebugPrivilege	924	portproviderperf.exe
Token: SeDebugPrivilege	2672	lsass.exe
Token: SeDebugPrivilege	2928	bridgecontainerRef.exe
Token: SeDebugPrivilege	2212	portproviderperf.exe
Token: SeDebugPrivilege	456	bridgecontainerRef.exe
Token: SeDebugPrivilege	2564	portproviderperf.exe
Token: SeDebugPrivilege	3060	bridgecontainerRef.exe
Token: SeDebugPrivilege	1756	portproviderperf.exe
Token: SeDebugPrivilege	2368	bridgecontainerRef.exe
Token: SeDebugPrivilege	1504	portproviderperf.exe
Token: SeDebugPrivilege	2504	portproviderperf.exe
Token: SeDebugPrivilege	584	bridgecontainerRef.exe
Token: SeDebugPrivilege	1052	bridgecontainerRef.exe
Token: SeDebugPrivilege	2076	portproviderperf.exe
Token: SeDebugPrivilege	1444	bridgecontainerRef.exe
Token: SeDebugPrivilege	952	portproviderperf.exe
Token: SeDebugPrivilege	1808	bridgecontainerRef.exe
Token: SeDebugPrivilege	2304	portproviderperf.exe
Token: SeDebugPrivilege	2196	bridgecontainerRef.exe
Token: SeDebugPrivilege	2176	portproviderperf.exe
Token: SeDebugPrivilege	2100	bridgecontainerRef.exe
Token: SeDebugPrivilege	2976	portproviderperf.exe
Token: SeDebugPrivilege	1552	bridgecontainerRef.exe
Token: SeDebugPrivilege	2456	portproviderperf.exe
Token: SeDebugPrivilege	2448	bridgecontainerRef.exe
Token: SeDebugPrivilege	2472	portproviderperf.exe
Token: SeDebugPrivilege	3056	bridgecontainerRef.exe
Token: SeDebugPrivilege	2404	portproviderperf.exe
Token: SeDebugPrivilege	2344	bridgecontainerRef.exe
Token: SeDebugPrivilege	940	portproviderperf.exe
Token: SeDebugPrivilege	2692	bridgecontainerRef.exe
Token: SeDebugPrivilege	2284	portproviderperf.exe
Token: SeDebugPrivilege	1756	bridgecontainerRef.exe
Token: SeDebugPrivilege	2484	portproviderperf.exe
Token: SeDebugPrivilege	2196	bridgecontainerRef.exe
Token: SeDebugPrivilege	1916	portproviderperf.exe
Token: SeDebugPrivilege	2748	bridgecontainerRef.exe
Token: SeDebugPrivilege	2992	portproviderperf.exe
Token: SeDebugPrivilege	1980	bridgecontainerRef.exe
Token: SeDebugPrivilege	1500	portproviderperf.exe
Token: SeDebugPrivilege	2544	bridgecontainerRef.exe
Token: SeDebugPrivilege	2728	portproviderperf.exe
Token: SeDebugPrivilege	1996	bridgecontainerRef.exe
Token: SeDebugPrivilege	552	portproviderperf.exe
Token: SeDebugPrivilege	1596	bridgecontainerRef.exe
Token: SeDebugPrivilege	2140	portproviderperf.exe
Token: SeDebugPrivilege	2456	bridgecontainerRef.exe
Token: SeDebugPrivilege	2188	portproviderperf.exe
Token: SeDebugPrivilege	1504	bridgecontainerRef.exe
Token: SeDebugPrivilege	1588	portproviderperf.exe
Token: SeDebugPrivilege	2828	bridgecontainerRef.exe
Token: SeDebugPrivilege	2624	portproviderperf.exe
Token: SeDebugPrivilege	1048	bridgecontainerRef.exe
Token: SeDebugPrivilege	1400	portproviderperf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3064	2120	NursultanAlphaCrack.exe	29
PID 2120 wrote to memory of 3064	2120	NursultanAlphaCrack.exe	29
PID 2120 wrote to memory of 3064	2120	NursultanAlphaCrack.exe	29
PID 2120 wrote to memory of 2212	2120	NursultanAlphaCrack.exe	30
PID 2120 wrote to memory of 2212	2120	NursultanAlphaCrack.exe	30
PID 2120 wrote to memory of 2212	2120	NursultanAlphaCrack.exe	30
PID 2120 wrote to memory of 2212	2120	NursultanAlphaCrack.exe	30
PID 2120 wrote to memory of 2860	2120	NursultanAlphaCrack.exe	31
PID 2120 wrote to memory of 2860	2120	NursultanAlphaCrack.exe	31
PID 2120 wrote to memory of 2860	2120	NursultanAlphaCrack.exe	31
PID 2120 wrote to memory of 2860	2120	NursultanAlphaCrack.exe	31
PID 2860 wrote to memory of 2952	2860	Windows Driver Foundation.exe	32
PID 2860 wrote to memory of 2952	2860	Windows Driver Foundation.exe	32
PID 2860 wrote to memory of 2952	2860	Windows Driver Foundation.exe	32
PID 2860 wrote to memory of 2952	2860	Windows Driver Foundation.exe	32
PID 2212 wrote to memory of 1808	2212	RuntimeBroker.exe	33
PID 2212 wrote to memory of 1808	2212	RuntimeBroker.exe	33
PID 2212 wrote to memory of 1808	2212	RuntimeBroker.exe	33
PID 2212 wrote to memory of 1808	2212	RuntimeBroker.exe	33
PID 3064 wrote to memory of 2884	3064	NursultanAlphaCrack.exe	34
PID 3064 wrote to memory of 2884	3064	NursultanAlphaCrack.exe	34
PID 3064 wrote to memory of 2884	3064	NursultanAlphaCrack.exe	34
PID 3064 wrote to memory of 1984	3064	NursultanAlphaCrack.exe	35
PID 3064 wrote to memory of 1984	3064	NursultanAlphaCrack.exe	35
PID 3064 wrote to memory of 1984	3064	NursultanAlphaCrack.exe	35
PID 3064 wrote to memory of 1984	3064	NursultanAlphaCrack.exe	35
PID 3064 wrote to memory of 3056	3064	NursultanAlphaCrack.exe	36
PID 3064 wrote to memory of 3056	3064	NursultanAlphaCrack.exe	36
PID 3064 wrote to memory of 3056	3064	NursultanAlphaCrack.exe	36
PID 3064 wrote to memory of 3056	3064	NursultanAlphaCrack.exe	36
PID 1984 wrote to memory of 2592	1984	RuntimeBroker.exe	37
PID 1984 wrote to memory of 2592	1984	RuntimeBroker.exe	37
PID 1984 wrote to memory of 2592	1984	RuntimeBroker.exe	37
PID 1984 wrote to memory of 2592	1984	RuntimeBroker.exe	37
PID 3056 wrote to memory of 1348	3056	Windows Driver Foundation.exe	123
PID 3056 wrote to memory of 1348	3056	Windows Driver Foundation.exe	123
PID 3056 wrote to memory of 1348	3056	Windows Driver Foundation.exe	123
PID 3056 wrote to memory of 1348	3056	Windows Driver Foundation.exe	123
PID 2884 wrote to memory of 1648	2884	NursultanAlphaCrack.exe	39
PID 2884 wrote to memory of 1648	2884	NursultanAlphaCrack.exe	39
PID 2884 wrote to memory of 1648	2884	NursultanAlphaCrack.exe	39
PID 2884 wrote to memory of 664	2884	NursultanAlphaCrack.exe	40
PID 2884 wrote to memory of 664	2884	NursultanAlphaCrack.exe	40
PID 2884 wrote to memory of 664	2884	NursultanAlphaCrack.exe	40
PID 2884 wrote to memory of 664	2884	NursultanAlphaCrack.exe	40
PID 2884 wrote to memory of 2340	2884	NursultanAlphaCrack.exe	41
PID 2884 wrote to memory of 2340	2884	NursultanAlphaCrack.exe	41
PID 2884 wrote to memory of 2340	2884	NursultanAlphaCrack.exe	41
PID 2884 wrote to memory of 2340	2884	NursultanAlphaCrack.exe	41
PID 664 wrote to memory of 396	664	RuntimeBroker.exe	42
PID 664 wrote to memory of 396	664	RuntimeBroker.exe	42
PID 664 wrote to memory of 396	664	RuntimeBroker.exe	42
PID 664 wrote to memory of 396	664	RuntimeBroker.exe	42
PID 2340 wrote to memory of 1444	2340	Windows Driver Foundation.exe	43
PID 2340 wrote to memory of 1444	2340	Windows Driver Foundation.exe	43
PID 2340 wrote to memory of 1444	2340	Windows Driver Foundation.exe	43
PID 2340 wrote to memory of 1444	2340	Windows Driver Foundation.exe	43
PID 1808 wrote to memory of 432	1808	WScript.exe	44
PID 1808 wrote to memory of 432	1808	WScript.exe	44
PID 1808 wrote to memory of 432	1808	WScript.exe	44
PID 1808 wrote to memory of 432	1808	WScript.exe	44
PID 432 wrote to memory of 976	432	cmd.exe	46
PID 432 wrote to memory of 976	432	cmd.exe	46
PID 432 wrote to memory of 976	432	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
      4⤵
      PID:1648
    - - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        5⤵
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        6⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        7⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        8⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        9⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        10⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        11⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        12⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        13⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        14⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        15⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        16⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        17⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        18⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        19⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        20⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        21⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        22⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        23⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        24⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        25⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        26⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        27⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        28⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        29⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        30⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        31⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        32⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        33⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        34⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        35⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        36⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        37⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        38⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        39⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        40⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        41⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        42⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        43⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        44⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        45⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        46⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        47⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        48⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        49⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        50⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        51⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        52⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        53⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        54⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        55⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        56⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        57⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        58⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        59⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        60⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        61⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        62⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        63⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        64⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        65⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        66⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        66⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        67⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        66⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        65⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        66⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        65⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        66⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        64⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        65⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        66⤵
        
        PID:1324
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        67⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        64⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        65⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        63⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        64⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        65⤵
        
        PID:1104
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        66⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        63⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        64⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        62⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        63⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        64⤵
        
        PID:236
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        65⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        62⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        63⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        64⤵
        
        PID:592
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        65⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        61⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        62⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        63⤵
        
        PID:2276
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        64⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        64⤵
        Modifies registry key
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        61⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        62⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        63⤵
        
        PID:2500
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        64⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        60⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        61⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        62⤵
        
        PID:2188
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        63⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        63⤵
        Modifies registry key
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        60⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        61⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        62⤵
        
        PID:1692
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        63⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        59⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        60⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        61⤵
        
        PID:1244
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        62⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        62⤵
        Modifies registry key
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        59⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        60⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        61⤵
        
        PID:1992
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        62⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        58⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        59⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        60⤵
        
        PID:2720
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        61⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        61⤵
        Modifies registry key
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        58⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        59⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        60⤵
        
        PID:3060
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        61⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        57⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        58⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        59⤵
        
        PID:2880
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        60⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        60⤵
        Modifies registry key
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        57⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        58⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        59⤵
        
        PID:2320
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        60⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        56⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        57⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        58⤵
        
        PID:2792
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        59⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        59⤵
        Modifies registry key
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        56⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        57⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        58⤵
        
        PID:1324
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        59⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        55⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        56⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        57⤵
        
        PID:2524
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        58⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        58⤵
        Modifies registry key
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        55⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        56⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        57⤵
        
        PID:1948
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        58⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        54⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        55⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        56⤵
        
        PID:2912
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        57⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        57⤵
        Modifies registry key
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        54⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        55⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        56⤵
        
        PID:1616
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        57⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        53⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        54⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        55⤵
        
        PID:2752
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        56⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        56⤵
        Modifies registry key
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        53⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        54⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        55⤵
        
        PID:1628
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        56⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        52⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        53⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        54⤵
        
        PID:844
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        55⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        55⤵
        Modifies registry key
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        52⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        53⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        54⤵
        
        PID:2396
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        55⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        51⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        52⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        53⤵
        
        PID:1620
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        54⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        54⤵
        Modifies registry key
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        51⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        52⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        53⤵
        
        PID:776
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        54⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        50⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        51⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        52⤵
        
        PID:2704
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        53⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        53⤵
        Modifies registry key
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        50⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        51⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        52⤵
        
        PID:916
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        53⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        49⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        50⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        51⤵
        
        PID:320
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        52⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        52⤵
        Modifies registry key
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        49⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        50⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        51⤵
        
        PID:2876
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        52⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        48⤵
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        49⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        50⤵
        
        PID:2412
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        51⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        51⤵
        Modifies registry key
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        48⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        49⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        50⤵
        
        PID:768
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        51⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        47⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        48⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        49⤵
        
        PID:1604
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        50⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        50⤵
        Modifies registry key
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        47⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        48⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        49⤵
        
        PID:2916
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        50⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        46⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        47⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        48⤵
        
        PID:1288
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        49⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        49⤵
        Modifies registry key
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        46⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        47⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        48⤵
        
        PID:2912
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        49⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        45⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        46⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        47⤵
        
        PID:1624
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        48⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        48⤵
        Modifies registry key
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        45⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        46⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        47⤵
        
        PID:2100
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        48⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        44⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        45⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        46⤵
        
        PID:1148
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        47⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        47⤵
        Modifies registry key
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        44⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        45⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        46⤵
        
        PID:1688
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        47⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        43⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        44⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        45⤵
        
        PID:1568
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        46⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        46⤵
        Modifies registry key
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        43⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        44⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        45⤵
        
        PID:2196
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        46⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        42⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        43⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        44⤵
        
        PID:2840
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        45⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        45⤵
        Modifies registry key
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        42⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        43⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        44⤵
        
        PID:2704
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        45⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        41⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        42⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        43⤵
        
        PID:1544
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        44⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        44⤵
        Modifies registry key
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        41⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        42⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        43⤵
        
        PID:1724
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        44⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        40⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        41⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        42⤵
        
        PID:2552
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        43⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        43⤵
        Modifies registry key
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        40⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        41⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        42⤵
        
        PID:2232
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        43⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        39⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        40⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        41⤵
        
        PID:1932
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        42⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        42⤵
        Modifies registry key
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        39⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        40⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        41⤵
        
        PID:2256
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        42⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        38⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        39⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        40⤵
        
        PID:2532
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        41⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        41⤵
        Modifies registry key
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        38⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        39⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        40⤵
        
        PID:808
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        41⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        37⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        38⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        39⤵
        
        PID:968
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        40⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        40⤵
        Modifies registry key
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        37⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        38⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        39⤵
        
        PID:1100
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        40⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        36⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        37⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        38⤵
        
        PID:924
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        39⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        39⤵
        Modifies registry key
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        36⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        37⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        38⤵
        
        PID:2972
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        39⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        35⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        36⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        37⤵
        
        PID:2924
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        38⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        38⤵
        Modifies registry key
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        35⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        36⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        37⤵
        
        PID:1636
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        38⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        34⤵
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        35⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        36⤵
        
        PID:1712
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        37⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        37⤵
        Modifies registry key
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        34⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        35⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        36⤵
        
        PID:2512
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        37⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        33⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        34⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        35⤵
        
        PID:2416
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        36⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        36⤵
        Modifies registry key
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        33⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        34⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        35⤵
        
        PID:2204
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        36⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        32⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        33⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        34⤵
        Loads dropped DLL
        
        PID:1308
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        35⤵
        Modifies registry key
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        34⤵
        
        PID:2448
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        35⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        31⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        32⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        33⤵
        Loads dropped DLL
        
        PID:2656
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        34⤵
        Modifies registry key
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        31⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        32⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        33⤵
        
        PID:2768
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        34⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        30⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        31⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        Modifies registry key
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        31⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        32⤵
        Loads dropped DLL
        
        PID:2972
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        29⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        30⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        31⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        32⤵
        Modifies registry key
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        29⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        30⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        31⤵
        Loads dropped DLL
        
        PID:1296
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        28⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        29⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        30⤵
        Loads dropped DLL
        
        PID:2548
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        Modifies registry key
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        28⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        29⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        28⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        29⤵
        Loads dropped DLL
        
        PID:1932
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        30⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        27⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        28⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        27⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        Modifies registry key
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        28⤵
        Loads dropped DLL
        
        PID:2092
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        26⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        28⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        25⤵
        
        PID:976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        27⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        24⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        25⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        26⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        Modifies registry key
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        24⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        25⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        26⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        24⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        25⤵
        Loads dropped DLL
        
        PID:1692
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        26⤵
        Modifies registry key
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        24⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        25⤵
        Loads dropped DLL
        
        PID:1828
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        23⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        24⤵
        Loads dropped DLL
        
        PID:2548
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        Modifies registry key
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        22⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        21⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        22⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        24⤵
        Modifies registry key
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        21⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        22⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        20⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        20⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        21⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        22⤵
        Loads dropped DLL
        
        PID:1376
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        20⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        21⤵
        Loads dropped DLL
        
        PID:1500
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        22⤵
        Modifies registry key
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        19⤵
        
        PID:888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        20⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        21⤵
        Loads dropped DLL
        
        PID:2224
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        19⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        20⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        Modifies registry key
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        20⤵
        Loads dropped DLL
        
        PID:2056
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        20⤵
        Modifies registry key
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        17⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        18⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        19⤵
        Loads dropped DLL
        
        PID:2660
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        17⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        18⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        16⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        17⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        18⤵
        Loads dropped DLL
        
        PID:1096
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        16⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        15⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        16⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        17⤵
        Loads dropped DLL
        
        PID:1348
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        15⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        16⤵
        Loads dropped DLL
        
        PID:2676
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        Modifies registry key
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        16⤵
        Loads dropped DLL
        
        PID:1048
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        14⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        15⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        16⤵
        Modifies registry key
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        14⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        Modifies registry key
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        13⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        14⤵
        Loads dropped DLL
        
        PID:3044
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        14⤵
        Modifies registry key
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        12⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        13⤵
        Loads dropped DLL
        
        PID:548
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        12⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        Modifies registry key
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        11⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        10⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        11⤵
        Loads dropped DLL
        
        PID:572
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        Modifies registry key
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        9⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        10⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        11⤵
        Loads dropped DLL
        
        PID:1260
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        9⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        10⤵
        Loads dropped DLL
        
        PID:1800
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        9⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        7⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        9⤵
        Loads dropped DLL
        
        PID:2264
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        8⤵
        Loads dropped DLL
        
        PID:796
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        Modifies registry key
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        6⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        7⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        8⤵
        Loads dropped DLL
        
        PID:2416
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        
        PID:2188
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        6⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        7⤵
        Loads dropped DLL
        
        PID:2548
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:968
    - - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        7⤵
        Loads dropped DLL
        
        PID:2068
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        5⤵
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        6⤵
        Loads dropped DLL
        
        PID:1976
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        5⤵
        
        PID:1444
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2512
- - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:1316
- C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
      4⤵
      Loads dropped DLL
      PID:996
    - - C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
      - C:\SurrogatewinDrivernetsvc\lsass.exe
        
        "C:\SurrogatewinDrivernetsvc\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\SurrogatewinDrivernetsvc\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\SurrogatewinDrivernetsvc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecontainerRefb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\bridgecontainerRef.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecontainerRef" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\bridgecontainerRef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgecontainerRefb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\bridgecontainerRef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9457525651933192822956662896-186324817119128738911042121745865637154-196036765"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "480132136670022576-1697228980-1016274410-135680185-1683777370-898305016-1029668608"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1907239387-335387624-16074249401911796318-276715819111731014811495621017178529"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "91654764816573942631329242468320690968-1518387896-20419196281037483907491209685"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1453659490997888553192214657-1281088609204436112514806175261511440224-383929866"
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1026622664-1305522109-49445905-18387780031678357209-920698207-5030239931318402600"
1⤵
PID:2244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-893473203-2021684188-229321870949060103-1442887178-344165416601612202842372307"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1685199099314165495-21911522612082060111084814708-1149139637-108479206196859289"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1089713123-1051853039-165881539511824713421003937685212369769-1667565421669479050"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1135527841058967111378582282-470521279-10400266122049630885-9198055221432666527"
1⤵
PID:824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-789440704-1299454499-16670100151421288445-34259701510308684651642277660-2021205635"
1⤵
PID:976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "693206690-548761931-7016095307243947432010168550-790598532-1532612384-1583782084"
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-149509290923635830553283681-2080961686-170761160-438783798129419309819665871"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1602408755-869909412577003540-43464065-699094147-1879093814-15907689631660613234"
1⤵
PID:368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1884283736-12482375752057175821-1846563047149417047-8666484513897792231353581635"
1⤵
PID:1696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "70393648-13318395051117137975980111652-1699226120432003428-20204652081865968719"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7998479481786133340-37529300-633916063-808349141862348102-365521895-22465907"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2890745061092940730-1083414003-11778954151208506437-1714295836471272845-621366031"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "603210117-1104526081945012437-20221978611096616384-1554589670139396688890914966"
1⤵
PID:2140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "200073459844870184912666883724818967156052568811495741284170265391313921925"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154569609917005608811068022906461191896-1448093637-1628655816-2046097991-1148786269"
1⤵
PID:1052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12803859661001911976-982678945797947144-180172267619556222251890319353-1216516440"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-71667489-2053895343-15424503072027702306-24771197014717187454540733541525154734"
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Containernet\RF2hvkHZrszbP0k.bat

Filesize
40B

MD5
a85467e4f1d1f99e96e9590c355d42f2

SHA1
398ac3ea16a11a8a2957a5ef4143d472e5cfc294

SHA256
046e64c151f66ef0f72682fa16c83309790478eeaa0d7621ea324b4221e85903

SHA512
1a718a6040863d596326d1a7e0f81307d69d1287c4b03767f1a83ebf31f860b3e2a545b44f358a47cac4500b4ecdf9e9c15f8ec46de7335606eaa72b7eaf672a

Download Submit
C:\Containernet\bridgecontainerRef.exe

Filesize
828KB

MD5
6afa3e281b7634f49b96825bb400bc5a

SHA1
fee8aa25a2db0a2eec530345a3955ab5c16050bf

SHA256
29e76ed158c096cd29f1b2d5fcfc838e1034ca2ea35ed66c51490f9bf409a7b1

SHA512
913cecf27e7b99c2b0326c1647a25ce71dd31af8f4e1854b6dc4acd4f87125455b7288b7f9e59d44512bc713a0e2941ddcf6395922af011a3aa71fb48ae2e605

Download Submit
C:\Containernet\r3KdEjt.vbe

Filesize
204B

MD5
8952fed62096fc946fc4ff2231ae0277

SHA1
437591c439dc3da24fbb7ca97cc57e2b37027183

SHA256
54c44a2c1291a654f1fe103fb47ba51e164a7d36221b28282ec01eba06ec5aa4

SHA512
5fd0750db4a66187736760347987108ba81caa3771d8c20dee3fec57b133c1b5b892a65c3e78b6e88958c308d7e98011ac4cb6af63c345b29882f72f75de3d12

Download Submit
C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe

Filesize
224B

MD5
5c864fca419a9f0dec15d73ec242077d

SHA1
e57ebd5f534ca0535960d156eb7c4c3b44c503b5

SHA256
22c51d8cef10cf4075e704eb50e774b4bba1ff8913746487650c9d242789fe10

SHA512
d0cc0b8feb2a99e88d09cfc224d99215ebcae5902c971c9bd4ab0987a1d9e682e4bac8d8d6f7c64fd2c930463bb8201e5353c577643aff9b58cd982eeeb5fe5f

Download Submit
C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat

Filesize
162B

MD5
e01ef91219b266b14d1ae415d30256d5

SHA1
cad006a2efee48fcad1166e7ce3bc118ff139808

SHA256
db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

SHA512
7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
3.0MB

MD5
101ba015a44ffb0f1a61dcafa9ca152c

SHA1
c29e1af8daa1dee8bf04b221e9e5551889229236

SHA256
a5cd4b6a4ea887e69a01856df8b1e58887860dfb0041e60e768c988cc1e5ec8b

SHA512
f3ddf2005433e9f248dd7a6ea4fd10446f9e3c3c8b1eede306e253c86d6155e7448a6e10f87336996e87ef52f3dd21bb988733234a8788516edd7da0fd192b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe

Filesize
1.1MB

MD5
ee4839dcc8cf148ce959f4d238f5d696

SHA1
ea27026af975bf81febf24f872b722c19544c0be

SHA256
e0663c567d2eb0a820e22f4f2cf2a728c911e14dbb5aa054e6d24904b4e3ca4e

SHA512
65cbba7b3c2f89a95a38e9e21386084d6fb57162ed34010feae03cb00051537663cfc78475810b123427db6e063a53a9b08170f5aed869d34fd4295c84021093

Download Submit
\SurrogatewinDrivernetsvc\portproviderperf.exe

Filesize
2.7MB

MD5
13a959a83b29024a74822f39005c6bf5

SHA1
5d5e1b1392f1bea34e44a08114ee2fd22cb7cdc9

SHA256
51ae7d669eb7c34c9390685b0fd2db522d9ba244ead6021523e608009821601e

SHA512
2492bb129ab89b5fcd33bb9c19b1765fc7e10cb9de3e00419e1aa4d3807c14f9eaa842115670529604d62cd5b5ca274d93d5288c88cf6eda7ce4c378e71cbf72

Download Submit
memory/976-63-0x00000000011F0000-0x00000000014A6000-memory.dmp

Filesize
2.7MB

Download
memory/1520-100-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2060-97-0x0000000000C20000-0x0000000000CF6000-memory.dmp

Filesize
856KB

Download
memory/2120-16-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-9-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp

Filesize
4KB

Download
memory/2120-1-0x000000013F1A0000-0x000000013F4FE000-memory.dmp

Filesize
3.4MB

Download
memory/2172-317-0x0000000077BA0000-0x0000000077C9A000-memory.dmp

Filesize
1000KB

Download
memory/2172-319-0x0000000075380000-0x00000000753AE000-memory.dmp

Filesize
184KB

Download
memory/2172-318-0x0000000000870000-0x0000000000910000-memory.dmp

Filesize
640KB

Download
memory/2172-516-0x0000000077A80000-0x0000000077B9F000-memory.dmp

Filesize
1.1MB

Download
memory/2172-520-0x00000000024C0000-0x00000000024E6000-memory.dmp

Filesize
152KB

Download
memory/2172-519-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/2172-518-0x00000000023D0000-0x000000000252C000-memory.dmp

Filesize
1.4MB

Download
memory/2172-517-0x0000000077BA0000-0x0000000077C9A000-memory.dmp

Filesize
1000KB

Download
memory/2672-145-0x0000000000310000-0x00000000003E6000-memory.dmp

Filesize
856KB

Download
memory/3064-13-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-44-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

Filesize
9.9MB

Download