dcrat | 61863e7d60ce62d9f81bd9a138e1fcd3f0a4344340c2f9922908719a737dbb5d

Analysis

max time kernel
66s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanAlphaCrack.exe
Size

3.4MB
MD5

833fa3b83aa9acbef18b37d69f775b30
SHA1

0d8bd9fef095137b5e879fb6a93b1b0bf17e5cb6
SHA256

61863e7d60ce62d9f81bd9a138e1fcd3f0a4344340c2f9922908719a737dbb5d
SHA512

4e4beba0fa0b32a3d9c386c53471b9f6634715543a639926c5a1b7e7137f70ac27cda146dca120b5ebba40ac592f4b0f2dcfb85964d2c9151c4b641bee044c87
SSDEEP

49152:vMpBCM5f3l+R7eTma4aSE3U3WoalKVnZK0FImmOhJe8DbRhf1+ljL3BPhbIscphW:vMp8MBV+R7QKBralse+Lf8bIxwHw1DI

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	5084	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	5084	schtasks.exe	100

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000e00000001d9ab-6.dat	dcrat
behavioral2/files/0x000b00000002335a-13.dat	dcrat
behavioral2/files/0x000700000002341c-74.dat	dcrat
behavioral2/memory/2088-76-0x0000000000CD0000-0x0000000000F86000-memory.dmp	dcrat
behavioral2/files/0x0007000000023418-98.dat	dcrat
behavioral2/memory/4844-100-0x0000000000F70000-0x0000000001046000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.exe

Executes dropped EXE 64 IoCs

pid	Process
724	RuntimeBroker.exe
536	Windows Driver Foundation.exe
920	RuntimeBroker.exe
4648	Windows Driver Foundation.exe
396	RuntimeBroker.exe
1344	Windows Driver Foundation.exe
2088	portproviderperf.exe
1180	portproviderperf.exe
4652	RuntimeBroker.exe
724	Windows Driver Foundation.exe
4844	bridgecontainerRef.exe
1768	RuntimeBroker.exe
1520	Windows Driver Foundation.exe
5028	portproviderperf.exe
4728	bridgecontainerRef.exe
2400	portproviderperf.exe
1124	RuntimeBroker.exe
2484	Windows Driver Foundation.exe
3432	fontdrvhost.exe
1120	portproviderperf.exe
2884	bridgecontainerRef.exe
3176	RuntimeBroker.exe
1864	Windows Driver Foundation.exe
4852	bridgecontainerRef.exe
3632	portproviderperf.exe
1064	RuntimeBroker.exe
5068	Windows Driver Foundation.exe
4580	bridgecontainerRef.exe
2648	portproviderperf.exe
4232	RuntimeBroker.exe
2088	Windows Driver Foundation.exe
3820	bridgecontainerRef.exe
4164	portproviderperf.exe
4336	RuntimeBroker.exe
3628	Windows Driver Foundation.exe
2828	bridgecontainerRef.exe
4500	portproviderperf.exe
4900	RuntimeBroker.exe
4652	Windows Driver Foundation.exe
1876	bridgecontainerRef.exe
2768	portproviderperf.exe
4664	RuntimeBroker.exe
2924	Windows Driver Foundation.exe
4044	portproviderperf.exe
3676	bridgecontainerRef.exe
780	RuntimeBroker.exe
5024	Windows Driver Foundation.exe
916	portproviderperf.exe
3580	bridgecontainerRef.exe
3536	RuntimeBroker.exe
1684	Windows Driver Foundation.exe
1516	bridgecontainerRef.exe
1856	portproviderperf.exe
1180	RuntimeBroker.exe
4500	Windows Driver Foundation.exe
648	bridgecontainerRef.exe
4364	portproviderperf.exe
1708	RuntimeBroker.exe
1180	Windows Driver Foundation.exe
2120	bridgecontainerRef.exe
2240	portproviderperf.exe
2400	RuntimeBroker.exe
4944	Windows Driver Foundation.exe
2520	bridgecontainerRef.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\ja-JP\OfficeClickToRun.exe	bridgecontainerRef.exe
File created	C:\Program Files\Internet Explorer\ja-JP\e6c9b481da804f	bridgecontainerRef.exe
File created	C:\Program Files\Mozilla Firefox\browser\cc11b995f2a76d	bridgecontainerRef.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	bridgecontainerRef.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	bridgecontainerRef.exe
File created	C:\Program Files\WindowsApps\taskhostw.exe	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Windows NT\RuntimeBroker.exe	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	bridgecontainerRef.exe
File created	C:\Program Files (x86)\Windows NT\9e8d7a4ca61bd9	bridgecontainerRef.exe
File created	C:\Program Files\Mozilla Firefox\browser\winlogon.exe	bridgecontainerRef.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Autopilot\9e8d7a4ca61bd9	bridgecontainerRef.exe
File created	C:\Windows\security\database\explorer.exe	bridgecontainerRef.exe
File created	C:\Windows\security\database\7a0fd90576e088	bridgecontainerRef.exe
File created	C:\Windows\Globalization\Sorting\WmiPrvSE.exe	bridgecontainerRef.exe
File created	C:\Windows\Globalization\Sorting\24dbde2999530e	bridgecontainerRef.exe
File created	C:\Windows\GameBarPresenceWriter\dwm.exe	bridgecontainerRef.exe
File created	C:\Windows\GameBarPresenceWriter\6cb0b6c459d5d3	bridgecontainerRef.exe
File created	C:\Windows\Provisioning\Autopilot\RuntimeBroker.exe	bridgecontainerRef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Driver Foundation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	Windows Driver Foundation.exe

Modifies registry key 1 TTPs 60 IoCs

Modify Registry

T1112

pid	Process
1856	reg.exe
4384	reg.exe
3420	reg.exe
4184	reg.exe
4292	reg.exe
5068	reg.exe
648	reg.exe
848	reg.exe
1064	reg.exe
2572	reg.exe
2692	reg.exe
1636	reg.exe
5024	reg.exe
2280	reg.exe
2264	reg.exe
324	reg.exe
2644	reg.exe
208	reg.exe
3652	reg.exe
4012	reg.exe
3028	reg.exe
3028	reg.exe
2520	reg.exe
1960	reg.exe
2156	reg.exe
3512	reg.exe
5112	reg.exe
3216	reg.exe
5104	reg.exe
3812	reg.exe
3820	reg.exe
3416	reg.exe
4728	reg.exe
1548	reg.exe
3928	reg.exe
2908	reg.exe
2088	reg.exe
2748	reg.exe
644	reg.exe
3340	reg.exe
2948	reg.exe
2224	reg.exe
3164	reg.exe
3064	reg.exe
1704	reg.exe
3632	reg.exe
4396	reg.exe
684	reg.exe
1692	reg.exe
2464	reg.exe
1048	reg.exe
612	reg.exe
3496	reg.exe
2636	reg.exe
4100	reg.exe
1704	reg.exe
388	reg.exe
4984	reg.exe
2632	reg.exe
4664	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3588	schtasks.exe
920	schtasks.exe
2376	schtasks.exe
4336	schtasks.exe
2460	schtasks.exe
3444	schtasks.exe
2244	schtasks.exe
3176	schtasks.exe
1864	schtasks.exe
2376	schtasks.exe
2644	schtasks.exe
1928	schtasks.exe
4516	schtasks.exe
4996	schtasks.exe
536	schtasks.exe
1856	schtasks.exe
4356	schtasks.exe
4644	schtasks.exe
2268	schtasks.exe
1424	schtasks.exe
396	schtasks.exe
956	schtasks.exe
608	schtasks.exe
2524	schtasks.exe
3048	schtasks.exe
780	schtasks.exe
1208	schtasks.exe
2448	schtasks.exe
4468	schtasks.exe
1864	schtasks.exe
3684	schtasks.exe
840	schtasks.exe
3404	schtasks.exe
4460	schtasks.exe
4256	schtasks.exe
3536	schtasks.exe
3048	schtasks.exe
4384	schtasks.exe
1120	schtasks.exe
4492	schtasks.exe
2004	schtasks.exe
624	schtasks.exe
4900	schtasks.exe
1888	schtasks.exe
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4844	bridgecontainerRef.exe
4844	bridgecontainerRef.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	portproviderperf.exe
Token: SeDebugPrivilege	1180	portproviderperf.exe
Token: SeDebugPrivilege	4844	bridgecontainerRef.exe
Token: SeDebugPrivilege	5028	portproviderperf.exe
Token: SeDebugPrivilege	4728	bridgecontainerRef.exe
Token: SeDebugPrivilege	2400	portproviderperf.exe
Token: SeDebugPrivilege	3432	fontdrvhost.exe
Token: SeDebugPrivilege	1120	portproviderperf.exe
Token: SeDebugPrivilege	2884	bridgecontainerRef.exe
Token: SeDebugPrivilege	4852	bridgecontainerRef.exe
Token: SeDebugPrivilege	3632	portproviderperf.exe
Token: SeDebugPrivilege	4580	bridgecontainerRef.exe
Token: SeDebugPrivilege	2648	portproviderperf.exe
Token: SeDebugPrivilege	3820	bridgecontainerRef.exe
Token: SeDebugPrivilege	4164	portproviderperf.exe
Token: SeDebugPrivilege	2828	bridgecontainerRef.exe
Token: SeDebugPrivilege	4500	portproviderperf.exe
Token: SeDebugPrivilege	1876	bridgecontainerRef.exe
Token: SeDebugPrivilege	2768	portproviderperf.exe
Token: SeDebugPrivilege	4044	portproviderperf.exe
Token: SeDebugPrivilege	3676	bridgecontainerRef.exe
Token: SeDebugPrivilege	916	portproviderperf.exe
Token: SeDebugPrivilege	3580	bridgecontainerRef.exe
Token: SeDebugPrivilege	1516	bridgecontainerRef.exe
Token: SeDebugPrivilege	1856	portproviderperf.exe
Token: SeDebugPrivilege	648	bridgecontainerRef.exe
Token: SeDebugPrivilege	4364	portproviderperf.exe
Token: SeDebugPrivilege	2120	bridgecontainerRef.exe
Token: SeDebugPrivilege	2240	portproviderperf.exe
Token: SeDebugPrivilege	2520	bridgecontainerRef.exe
Token: SeDebugPrivilege	264	portproviderperf.exe
Token: SeDebugPrivilege	1280	bridgecontainerRef.exe
Token: SeDebugPrivilege	1552	portproviderperf.exe
Token: SeDebugPrivilege	1516	bridgecontainerRef.exe
Token: SeDebugPrivilege	4508	portproviderperf.exe
Token: SeDebugPrivilege	2328	bridgecontainerRef.exe
Token: SeDebugPrivilege	2572	portproviderperf.exe
Token: SeDebugPrivilege	1860	bridgecontainerRef.exe
Token: SeDebugPrivilege	208	portproviderperf.exe
Token: SeDebugPrivilege	608	bridgecontainerRef.exe
Token: SeDebugPrivilege	4996	portproviderperf.exe
Token: SeDebugPrivilege	4084	bridgecontainerRef.exe
Token: SeDebugPrivilege	4448	portproviderperf.exe
Token: SeDebugPrivilege	876	bridgecontainerRef.exe
Token: SeDebugPrivilege	4936	portproviderperf.exe
Token: SeDebugPrivilege	4532	bridgecontainerRef.exe
Token: SeDebugPrivilege	2792	portproviderperf.exe
Token: SeDebugPrivilege	1888	bridgecontainerRef.exe
Token: SeDebugPrivilege	2904	portproviderperf.exe
Token: SeDebugPrivilege	2888	bridgecontainerRef.exe
Token: SeDebugPrivilege	2768	portproviderperf.exe
Token: SeDebugPrivilege	5116	bridgecontainerRef.exe
Token: SeDebugPrivilege	1712	portproviderperf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2464	3116	NursultanAlphaCrack.exe	87
PID 3116 wrote to memory of 2464	3116	NursultanAlphaCrack.exe	87
PID 3116 wrote to memory of 724	3116	NursultanAlphaCrack.exe	88
PID 3116 wrote to memory of 724	3116	NursultanAlphaCrack.exe	88
PID 3116 wrote to memory of 724	3116	NursultanAlphaCrack.exe	88
PID 3116 wrote to memory of 536	3116	NursultanAlphaCrack.exe	89
PID 3116 wrote to memory of 536	3116	NursultanAlphaCrack.exe	89
PID 3116 wrote to memory of 536	3116	NursultanAlphaCrack.exe	89
PID 536 wrote to memory of 3852	536	Windows Driver Foundation.exe	90
PID 536 wrote to memory of 3852	536	Windows Driver Foundation.exe	90
PID 536 wrote to memory of 3852	536	Windows Driver Foundation.exe	90
PID 724 wrote to memory of 4028	724	RuntimeBroker.exe	91
PID 724 wrote to memory of 4028	724	RuntimeBroker.exe	91
PID 724 wrote to memory of 4028	724	RuntimeBroker.exe	91
PID 2464 wrote to memory of 2108	2464	NursultanAlphaCrack.exe	94
PID 2464 wrote to memory of 2108	2464	NursultanAlphaCrack.exe	94
PID 2464 wrote to memory of 920	2464	NursultanAlphaCrack.exe	182
PID 2464 wrote to memory of 920	2464	NursultanAlphaCrack.exe	182
PID 2464 wrote to memory of 920	2464	NursultanAlphaCrack.exe	182
PID 2464 wrote to memory of 4648	2464	NursultanAlphaCrack.exe	96
PID 2464 wrote to memory of 4648	2464	NursultanAlphaCrack.exe	96
PID 2464 wrote to memory of 4648	2464	NursultanAlphaCrack.exe	96
PID 920 wrote to memory of 1788	920	RuntimeBroker.exe	98
PID 920 wrote to memory of 1788	920	RuntimeBroker.exe	98
PID 920 wrote to memory of 1788	920	RuntimeBroker.exe	98
PID 4648 wrote to memory of 4980	4648	Windows Driver Foundation.exe	99
PID 4648 wrote to memory of 4980	4648	Windows Driver Foundation.exe	99
PID 4648 wrote to memory of 4980	4648	Windows Driver Foundation.exe	99
PID 2108 wrote to memory of 2524	2108	NursultanAlphaCrack.exe	174
PID 2108 wrote to memory of 2524	2108	NursultanAlphaCrack.exe	174
PID 2108 wrote to memory of 396	2108	NursultanAlphaCrack.exe	134
PID 2108 wrote to memory of 396	2108	NursultanAlphaCrack.exe	134
PID 2108 wrote to memory of 396	2108	NursultanAlphaCrack.exe	134
PID 2108 wrote to memory of 1344	2108	NursultanAlphaCrack.exe	103
PID 2108 wrote to memory of 1344	2108	NursultanAlphaCrack.exe	103
PID 2108 wrote to memory of 1344	2108	NursultanAlphaCrack.exe	103
PID 4028 wrote to memory of 2924	4028	WScript.exe	104
PID 4028 wrote to memory of 2924	4028	WScript.exe	104
PID 4028 wrote to memory of 2924	4028	WScript.exe	104
PID 2924 wrote to memory of 2088	2924	cmd.exe	221
PID 2924 wrote to memory of 2088	2924	cmd.exe	221
PID 396 wrote to memory of 1856	396	RuntimeBroker.exe	162
PID 396 wrote to memory of 1856	396	RuntimeBroker.exe	162
PID 396 wrote to memory of 1856	396	RuntimeBroker.exe	162
PID 1344 wrote to memory of 552	1344	Windows Driver Foundation.exe	109
PID 1344 wrote to memory of 552	1344	Windows Driver Foundation.exe	109
PID 1344 wrote to memory of 552	1344	Windows Driver Foundation.exe	109
PID 1788 wrote to memory of 632	1788	WScript.exe	110
PID 1788 wrote to memory of 632	1788	WScript.exe	110
PID 1788 wrote to memory of 632	1788	WScript.exe	110
PID 2524 wrote to memory of 4736	2524	NursultanAlphaCrack.exe	112
PID 2524 wrote to memory of 4736	2524	NursultanAlphaCrack.exe	112
PID 632 wrote to memory of 1180	632	cmd.exe	213
PID 632 wrote to memory of 1180	632	cmd.exe	213
PID 2524 wrote to memory of 4652	2524	NursultanAlphaCrack.exe	245
PID 2524 wrote to memory of 4652	2524	NursultanAlphaCrack.exe	245
PID 2524 wrote to memory of 4652	2524	NursultanAlphaCrack.exe	245
PID 2524 wrote to memory of 724	2524	NursultanAlphaCrack.exe	115
PID 2524 wrote to memory of 724	2524	NursultanAlphaCrack.exe	115
PID 2524 wrote to memory of 724	2524	NursultanAlphaCrack.exe	115
PID 2924 wrote to memory of 1692	2924	cmd.exe	116
PID 2924 wrote to memory of 1692	2924	cmd.exe	116
PID 2924 wrote to memory of 1692	2924	cmd.exe	116
PID 724 wrote to memory of 1860	724	Windows Driver Foundation.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        5⤵
        Checks computer location settings
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        6⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        7⤵
        Checks computer location settings
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        8⤵
        Checks computer location settings
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        9⤵
        Checks computer location settings
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        10⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        11⤵
        Checks computer location settings
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        12⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        13⤵
        Checks computer location settings
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        14⤵
        Checks computer location settings
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        15⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        16⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        17⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        18⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        19⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        20⤵
        Checks computer location settings
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        21⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        22⤵
        Checks computer location settings
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        23⤵
        Checks computer location settings
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        24⤵
        Checks computer location settings
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        25⤵
        Checks computer location settings
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        26⤵
        Checks computer location settings
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        27⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        28⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        29⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        30⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        31⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        32⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        33⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        34⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        35⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        36⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        37⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        38⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        39⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        40⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        41⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        42⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        43⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        44⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        45⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        46⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        47⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        48⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        49⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        50⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        51⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        52⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        53⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        54⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        55⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        56⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        57⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        58⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        59⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        60⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        61⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        62⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        63⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        64⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        65⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        66⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.exe"
        67⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        66⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        67⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        66⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        67⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        65⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        66⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        67⤵
        
        PID:1600
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        68⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        65⤵
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        66⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        64⤵
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        65⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        66⤵
        
        PID:2744
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        67⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        64⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        65⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        63⤵
        
        PID:812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        64⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        65⤵
        
        PID:4432
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        66⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        63⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        64⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        65⤵
        
        PID:3216
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        66⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        62⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        63⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        64⤵
        
        PID:5088
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        65⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        62⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        63⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        64⤵
        
        PID:4560
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        65⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        61⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        62⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        63⤵
        
        PID:2380
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        64⤵
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        64⤵
        Modifies registry key
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        61⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        62⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        63⤵
        
        PID:4184
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        64⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        60⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        61⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        62⤵
        
        PID:2928
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        63⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        63⤵
        Modifies registry key
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        60⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        61⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        62⤵
        
        PID:2820
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        63⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        59⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        60⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        61⤵
        
        PID:4352
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        62⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        62⤵
        Modifies registry key
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        59⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        60⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        61⤵
        
        PID:3616
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        62⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        58⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        59⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        60⤵
        
        PID:2904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3020
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        61⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        61⤵
        Modifies registry key
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        58⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        59⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        60⤵
        
        PID:2228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1992
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        61⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        57⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        58⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        59⤵
        
        PID:1704
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        60⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        60⤵
        Modifies registry key
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        57⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        58⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        59⤵
        
        PID:1132
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        60⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        56⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        57⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        58⤵
        
        PID:4500
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        59⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        59⤵
        Modifies registry key
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        56⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        57⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        58⤵
        
        PID:4180
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        59⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        55⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        56⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        57⤵
        
        PID:2948
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        58⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        58⤵
        Modifies registry key
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        55⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        56⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        57⤵
        
        PID:3536
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        58⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        54⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        55⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        56⤵
        
        PID:744
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        57⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        57⤵
        Modifies registry key
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        54⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        55⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        56⤵
        
        PID:3108
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        57⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        53⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        54⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        55⤵
        
        PID:1076
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        56⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        56⤵
        Modifies registry key
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        53⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        54⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        55⤵
        
        PID:3616
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        56⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        52⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        53⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        54⤵
        
        PID:4108
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        55⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        55⤵
        Modifies registry key
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        52⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        53⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        54⤵
        
        PID:3728
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        55⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        51⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        52⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        53⤵
        
        PID:392
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        54⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        54⤵
        Modifies registry key
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        51⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        52⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        53⤵
        
        PID:916
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        54⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        50⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        51⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        52⤵
        
        PID:4372
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        53⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        53⤵
        Modifies registry key
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        50⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        51⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        52⤵
        
        PID:3904
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        53⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        49⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        50⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        51⤵
        
        PID:4048
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        52⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        52⤵
        Modifies registry key
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        49⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        50⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        51⤵
        
        PID:4888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:264
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        52⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        48⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        49⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        50⤵
        
        PID:324
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        51⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        51⤵
        Modifies registry key
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        48⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        49⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        50⤵
        
        PID:3964
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        51⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        47⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        48⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        49⤵
        
        PID:4976
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        50⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        50⤵
        Modifies registry key
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        47⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        48⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        49⤵
        
        PID:4580
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        50⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        46⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        47⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        48⤵
        
        PID:2000
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        49⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        49⤵
        Modifies registry key
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        46⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        47⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        48⤵
        
        PID:4516
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        49⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        45⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        46⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        47⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:4508
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        48⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        48⤵
        Modifies registry key
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        45⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        46⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        47⤵
        
        PID:1416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:3652
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        48⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        44⤵
        
        PID:632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        45⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        46⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2276
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        47⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        47⤵
        Modifies registry key
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        44⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        45⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        46⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:208
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        47⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        43⤵
        
        PID:764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        44⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        45⤵
        
        PID:2788
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        46⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        46⤵
        Modifies registry key
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        43⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        44⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        45⤵
        
        PID:5104
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        46⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        42⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        43⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        44⤵
        
        PID:4004
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        45⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        45⤵
        Modifies registry key
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        42⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        43⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        44⤵
        
        PID:1360
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        45⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        41⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        42⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        43⤵
        
        PID:1072
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        44⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        44⤵
        Modifies registry key
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        41⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        42⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        43⤵
        
        PID:968
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        44⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        40⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        41⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        42⤵
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1684
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        43⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        43⤵
        Modifies registry key
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        40⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        41⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        42⤵
        
        PID:5064
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        43⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        39⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        40⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        41⤵
        
        PID:1692
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        42⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        42⤵
        Modifies registry key
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        39⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        40⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        41⤵
        
        PID:3676
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        42⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        38⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        39⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        40⤵
        
        PID:2448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4996
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        41⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        41⤵
        Modifies registry key
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        38⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        39⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        40⤵
        
        PID:608
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        41⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        37⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        38⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        39⤵
        
        PID:2980
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        40⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        40⤵
        Modifies registry key
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        37⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        38⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        39⤵
        
        PID:2212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3624
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        40⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        36⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        37⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        38⤵
        
        PID:2744
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        39⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        39⤵
        Modifies registry key
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        36⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        37⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        38⤵
        
        PID:2456
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        39⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        35⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        36⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        37⤵
        
        PID:2636
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        38⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        38⤵
        Modifies registry key
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        35⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        36⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        37⤵
        
        PID:4864
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        38⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        34⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        35⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        36⤵
        
        PID:4432
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        37⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        37⤵
        Modifies registry key
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        34⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        35⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        36⤵
        
        PID:388
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        37⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        33⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        34⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        35⤵
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4532
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        36⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        36⤵
        Modifies registry key
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        33⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        34⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        35⤵
        
        PID:1888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:4944
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        36⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        32⤵
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        33⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        34⤵
        
        PID:644
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        35⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        35⤵
        Modifies registry key
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        32⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        33⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        34⤵
        
        PID:3376
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        35⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        31⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        32⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        33⤵
        
        PID:2796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2924
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        34⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        34⤵
        Modifies registry key
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        31⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        32⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        33⤵
        
        PID:2252
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        34⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        30⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        31⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        32⤵
        
        PID:2828
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        33⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        Modifies registry key
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        30⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        31⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        32⤵
        
        PID:2380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:876
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        33⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        29⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        30⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        31⤵
        
        PID:1868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:3580
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        32⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        32⤵
        Modifies registry key
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        29⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        30⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        31⤵
        
        PID:1960
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        32⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        28⤵
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        29⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        30⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:1280
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        Modifies registry key
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        28⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        29⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        30⤵
        
        PID:4728
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        31⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        27⤵
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        29⤵
        
        PID:4100
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        30⤵
        Modifies registry key
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        28⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        29⤵
        
        PID:2284
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        30⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        26⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        27⤵
        Checks computer location settings
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:3068
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        Modifies registry key
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        26⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        27⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        28⤵
        
        PID:1992
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        26⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        27⤵
        
        PID:4020
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        28⤵
        Modifies registry key
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        25⤵
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        26⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        27⤵
        
        PID:2404
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        25⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        Modifies registry key
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        24⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        25⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        26⤵
        
        PID:3820
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        24⤵
        Checks computer location settings
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        26⤵
        Modifies registry key
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        25⤵
        
        PID:752
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        23⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:4768
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        22⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        23⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        24⤵
        
        PID:4544
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        22⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        23⤵
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:1940
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        21⤵
        Checks computer location settings
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        22⤵
        
        PID:2524
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        20⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        21⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:780
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        20⤵
        Checks computer location settings
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        20⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        19⤵
        Checks computer location settings
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        20⤵
        
        PID:3148
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        Modifies registry key
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        19⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        18⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        19⤵
        
        PID:1372
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        19⤵
        
        PID:460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1624
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        18⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3632
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        Modifies registry key
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        18⤵
        
        PID:1812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3036
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2880
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        18⤵
        Modifies registry key
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        16⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        17⤵
        
        PID:4048
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        16⤵
        
        PID:4560
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        Modifies registry key
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        15⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        16⤵
        
        PID:4612
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        14⤵
        Checks computer location settings
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        16⤵
        Modifies registry key
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        14⤵
        Checks computer location settings
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        13⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        Modifies registry key
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        13⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        12⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        13⤵
        
        PID:688
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        14⤵
        Modifies registry key
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        12⤵
        Checks computer location settings
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        13⤵
        
        PID:1940
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        11⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        12⤵
        
        PID:1752
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        Modifies registry key
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        11⤵
        Checks computer location settings
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4168
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        Modifies registry key
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        10⤵
        Checks computer location settings
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        9⤵
        Checks computer location settings
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:8
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        10⤵
        
        PID:2448
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        8⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2000
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        10⤵
        Modifies registry key
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        7⤵
        Checks computer location settings
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        8⤵
        
        PID:2240
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        Modifies registry key
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        8⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1180
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        7⤵
        
        PID:4168
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        6⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
        5⤵
        
        PID:552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        6⤵
        
        PID:4788
        
        C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:5024
- - C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
      4⤵
      PID:4980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
        5⤵
        
        PID:1152
      - C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\SurrogatewinDrivernetsvc\portproviderperf.exe
        
        "C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:1692
- C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Containernet\r3KdEjt.vbe"
    3⤵
    - Checks computer location settings
    PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Containernet\RF2hvkHZrszbP0k.bat" "
      4⤵
      PID:4808
    - - C:\Containernet\bridgecontainerRef.exe
        
        "C:\Containernet\bridgecontainerRef.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
      - C:\SurrogatewinDrivernetsvc\fontdrvhost.exe
        
        "C:\SurrogatewinDrivernetsvc\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\security\database\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\security\database\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\security\database\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Containernet\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Containernet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Containernet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\SurrogatewinDrivernetsvc\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\SurrogatewinDrivernetsvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\SurrogatewinDrivernetsvc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Sorting\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Autopilot\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Autopilot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Containernet\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Containernet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Containernet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1516

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Containernet\RF2hvkHZrszbP0k.bat

Filesize
40B

MD5
a85467e4f1d1f99e96e9590c355d42f2

SHA1
398ac3ea16a11a8a2957a5ef4143d472e5cfc294

SHA256
046e64c151f66ef0f72682fa16c83309790478eeaa0d7621ea324b4221e85903

SHA512
1a718a6040863d596326d1a7e0f81307d69d1287c4b03767f1a83ebf31f860b3e2a545b44f358a47cac4500b4ecdf9e9c15f8ec46de7335606eaa72b7eaf672a

Download Submit
C:\Containernet\bridgecontainerRef.exe

Filesize
828KB

MD5
6afa3e281b7634f49b96825bb400bc5a

SHA1
fee8aa25a2db0a2eec530345a3955ab5c16050bf

SHA256
29e76ed158c096cd29f1b2d5fcfc838e1034ca2ea35ed66c51490f9bf409a7b1

SHA512
913cecf27e7b99c2b0326c1647a25ce71dd31af8f4e1854b6dc4acd4f87125455b7288b7f9e59d44512bc713a0e2941ddcf6395922af011a3aa71fb48ae2e605

Download Submit
C:\Containernet\r3KdEjt.vbe

Filesize
204B

MD5
8952fed62096fc946fc4ff2231ae0277

SHA1
437591c439dc3da24fbb7ca97cc57e2b37027183

SHA256
54c44a2c1291a654f1fe103fb47ba51e164a7d36221b28282ec01eba06ec5aa4

SHA512
5fd0750db4a66187736760347987108ba81caa3771d8c20dee3fec57b133c1b5b892a65c3e78b6e88958c308d7e98011ac4cb6af63c345b29882f72f75de3d12

Download Submit
C:\SurrogatewinDrivernetsvc\2e8nYkLZtNZRWLze8a3w.vbe

Filesize
224B

MD5
5c864fca419a9f0dec15d73ec242077d

SHA1
e57ebd5f534ca0535960d156eb7c4c3b44c503b5

SHA256
22c51d8cef10cf4075e704eb50e774b4bba1ff8913746487650c9d242789fe10

SHA512
d0cc0b8feb2a99e88d09cfc224d99215ebcae5902c971c9bd4ab0987a1d9e682e4bac8d8d6f7c64fd2c930463bb8201e5353c577643aff9b58cd982eeeb5fe5f

Download Submit
C:\SurrogatewinDrivernetsvc\EmfL9gR1UoUqTmpNgZjd7sI.bat

Filesize
162B

MD5
e01ef91219b266b14d1ae415d30256d5

SHA1
cad006a2efee48fcad1166e7ce3bc118ff139808

SHA256
db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

SHA512
7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

Download Submit
C:\SurrogatewinDrivernetsvc\portproviderperf.exe

Filesize
2.7MB

MD5
13a959a83b29024a74822f39005c6bf5

SHA1
5d5e1b1392f1bea34e44a08114ee2fd22cb7cdc9

SHA256
51ae7d669eb7c34c9390685b0fd2db522d9ba244ead6021523e608009821601e

SHA512
2492bb129ab89b5fcd33bb9c19b1765fc7e10cb9de3e00419e1aa4d3807c14f9eaa842115670529604d62cd5b5ca274d93d5288c88cf6eda7ce4c378e71cbf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NursultanAlphaCrack.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bridgecontainerRef.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portproviderperf.exe.log

Filesize
1KB

MD5
5cb90c90e96a3b36461ed44d339d02e5

SHA1
5508281a22cca7757bc4fbdb0a8e885c9f596a04

SHA256
34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

SHA512
63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
3.0MB

MD5
101ba015a44ffb0f1a61dcafa9ca152c

SHA1
c29e1af8daa1dee8bf04b221e9e5551889229236

SHA256
a5cd4b6a4ea887e69a01856df8b1e58887860dfb0041e60e768c988cc1e5ec8b

SHA512
f3ddf2005433e9f248dd7a6ea4fd10446f9e3c3c8b1eede306e253c86d6155e7448a6e10f87336996e87ef52f3dd21bb988733234a8788516edd7da0fd192b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe

Filesize
1.1MB

MD5
ee4839dcc8cf148ce959f4d238f5d696

SHA1
ea27026af975bf81febf24f872b722c19544c0be

SHA256
e0663c567d2eb0a820e22f4f2cf2a728c911e14dbb5aa054e6d24904b4e3ca4e

SHA512
65cbba7b3c2f89a95a38e9e21386084d6fb57162ed34010feae03cb00051537663cfc78475810b123427db6e063a53a9b08170f5aed869d34fd4295c84021093

Download Submit
memory/2088-76-0x0000000000CD0000-0x0000000000F86000-memory.dmp

Filesize
2.7MB

Download
memory/2088-77-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/2464-15-0x00007FF9F60C0000-0x00007FF9F6B81000-memory.dmp

Filesize
10.8MB

Download
memory/2464-55-0x00007FF9F60C0000-0x00007FF9F6B81000-memory.dmp

Filesize
10.8MB

Download
memory/3116-21-0x00007FF9F60C0000-0x00007FF9F6B81000-memory.dmp

Filesize
10.8MB

Download
memory/3116-0-0x00007FF9F60C3000-0x00007FF9F60C5000-memory.dmp

Filesize
8KB

Download
memory/3116-7-0x00007FF9F60C0000-0x00007FF9F6B81000-memory.dmp

Filesize
10.8MB

Download
memory/3116-1-0x0000000000270000-0x00000000005CE000-memory.dmp

Filesize
3.4MB

Download
memory/4844-100-0x0000000000F70000-0x0000000001046000-memory.dmp

Filesize
856KB

Download