d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
5200	taskkill.exe
5192	taskkill.exe
5232	taskkill.exe
4928	taskkill.exe
72	taskkill.exe
5152	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133841045366975162"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Silent ETH Miner Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Silent ETH Miner Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000005dfb4f9ba37bdb01d3a2a1f8aa7bdb010805a4f8aa7bdb0114000000	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Silent ETH Miner Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Silent ETH Miner Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Silent ETH Miner Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Silent ETH Miner Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Silent ETH Miner Builder.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\2025-02-15-14-50-guarda-backup.txt:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\SilentETHMiner.Builder.rar:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3672	NOTEPAD.EXE
2368	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1364	schtasks.exe
3808	schtasks.exe
1964	schtasks.exe
5012	schtasks.exe
5140	schtasks.exe
5176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
1004	chrome.exe
1004	chrome.exe
1004	chrome.exe
1004	chrome.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4420	Silent ETH Miner Builder.exe
948	Taskmgr.exe
4608	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
4764	7zG.exe
4008	7zG.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe
948	Taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4420	Silent ETH Miner Builder.exe
4420	Silent ETH Miner Builder.exe
4420	Silent ETH Miner Builder.exe
4420	Silent ETH Miner Builder.exe
4420	Silent ETH Miner Builder.exe
4420	Silent ETH Miner Builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3672	4376	cmd.exe	86
PID 4376 wrote to memory of 3672	4376	cmd.exe	86
PID 2724 wrote to memory of 3768	2724	chrome.exe	95
PID 2724 wrote to memory of 3768	2724	chrome.exe	95
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 224	2724	chrome.exe	96
PID 2724 wrote to memory of 4396	2724	chrome.exe	97
PID 2724 wrote to memory of 4396	2724	chrome.exe	97
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98
PID 2724 wrote to memory of 2912	2724	chrome.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda9becc40,0x7ffda9becc4c,0x7ffda9becc58
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4680,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4864,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4892,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5032,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5304,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3228,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4984,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5024,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4684,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5548,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4540,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5424,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5088,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5416,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4548,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3664,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4552,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - NTFS ADS
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5912,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4176,i,12263846762703151877,5174572040142128440,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1008

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2388

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzcwMUFCOUEtM0EzRi00Q0Y4LUI2QkUtNzMzNkYyQzdBOEYwfSIgdXNlcmlkPSJ7OTk0NDQzMUYtQjZEQi00QjEzLUI2MUUtNDkwNUY4MzQ1REIzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTdBNTQzRkEtMjMyNy00QzJBLTg5MUUtNzRCMjRFOTIzMkI5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjUiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDAzMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjU2MjA2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUzMjU5ODc5OTEiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004E8
1⤵
PID:564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:440

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SilentETHMiner.Builder\" -ad -an -ai#7zMap30800:106:7zEvent6621
1⤵
- Suspicious use of FindShellTrayWindow
PID:4764

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SilentETHMiner.Builder\PASSWORD.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2368

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SilentETHMiner.Builder\Silent.ETHMiner.Builder\" -ad -an -ai#7zMap8941:154:7zEvent13340
1⤵
- Suspicious use of FindShellTrayWindow
PID:4008

C:\Users\Admin\Downloads\SilentETHMiner.Builder\Silent.ETHMiner.Builder\Silent.ETH.Miner.Builder\Silent ETH Miner Builder.exe
"C:\Users\Admin\Downloads\SilentETHMiner.Builder\Silent.ETHMiner.Builder\Silent.ETH.Miner.Builder\Silent ETH Miner Builder.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1kzgcxt3\1kzgcxt3.cmdline"
  2⤵
  PID:3680
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9751.tmp" "c:\Users\Admin\Desktop\CSC77639D7DC24A909EB3ADD31693AD7F.TMP"
    3⤵
    PID:2980
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:1484
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5096
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3632
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\ethminer-watchdog.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\ethminer-watchdog-loader.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3uawvh1f\3uawvh1f.cmdline"
  2⤵
  PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1FF.tmp" "c:\Users\Admin\Desktop\CSC7C6BF09668E7480EA1D9339C2D016EB.TMP"
    3⤵
    PID:640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jg1uze3m\jg1uze3m.cmdline"
  2⤵
  PID:1092
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2BB.tmp" "c:\Users\Admin\Desktop\CSCB455D527C0074912968BF1A5758E6DD6.TMP"
    3⤵
    PID:1388
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:4312
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3444
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\ethminer-uninstaller-payload.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\ethminer-uninstaller.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2444
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:3208
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:880
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3032
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:904
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\ethminer-miner.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\ethminer.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5ncty5e\f5ncty5e.cmdline"
  2⤵
  PID:4572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA3C.tmp" "c:\Users\Admin\Desktop\CSC8C7739E256694D37A6A12BE72DFE68FF.TMP"
    3⤵
    PID:2000
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:2824
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:5096
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4252
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2844
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\minneeer-watchdog.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\minneeer-watchdog-loader.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bluszoz1\bluszoz1.cmdline"
  2⤵
  PID:4584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBC3.tmp" "c:\Users\Admin\Desktop\CSC2A3BC0397CD74C2C9D88B36AABDE6BE.TMP"
    3⤵
    PID:3832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0tiyrufy\0tiyrufy.cmdline"
  2⤵
  PID:3376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC8E.tmp" "c:\Users\Admin\Desktop\CSC218D3305CC9A4C76BF1E71A1EAB1E9E.TMP"
    3⤵
    PID:1536
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:4900
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3040
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\minneeer-uninstaller-payload.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\minneeer-uninstaller.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2904
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:3400
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3240
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3520
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\minneeer-miner.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\minneeer.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fq2zvmhx\fq2zvmhx.cmdline"
  2⤵
  PID:4560
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD216.tmp" "c:\Users\Admin\Desktop\CSCD320CC2C6F8C49F8A7F4D515646BDFE6.TMP"
    3⤵
    PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owuzdyl4\owuzdyl4.cmdline"
  2⤵
  PID:2316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2B2.tmp" "c:\Users\Admin\Desktop\CSC2C206C562C2E4441972C21B79FCE0DE.TMP"
    3⤵
    PID:3520
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:2108
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:704
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3008
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\ok-uninstaller-payload.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\ok-uninstaller.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe" --input resource.rc --output resource.o -O coff -DDefAdmin
  2⤵
  PID:2040
- - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe
    C:\Users\Admin\Desktop\Compilers\MinGW64\bin\windres.exe --input resource.rc --output resource.o -O coff -DDefAdmin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc" -E -xc -DRC_INVOKED -DDefAdmin resource.rc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2432
    - - C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc.exe
        
        C:\Users\Admin\Desktop\Compilers\MinGW64\bin\gcc -E -xc -DRC_INVOKED -DDefAdmin resource.rc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Users\Admin\Desktop\Compilers\MinGW64\libexec\gcc\x86_64-w64-mingw32\4.9.2\cc1.exe
        
        "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../libexec/gcc/x86_64-w64-mingw32/4.9.2/cc1.exe" "-E" "-quiet" "-iprefix" "C:/Users/Admin/Desktop/Compilers/MinGW64/bin/../lib/gcc/x86_64-w64-mingw32/4.9.2/" "-D_REENTRANT" "-D" "RC_INVOKED" "-D" "DefAdmin" "resource.rc" "-mtune=generic" "-march=x86-64"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4100
- C:\Users\Admin\Desktop\Compilers\donut\donut.exe
  "C:\Users\Admin\Desktop\Compilers\donut\donut.exe" "C:\Users\Admin\Desktop\ok-miner.exe" -a 2 -f 1
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe
  "C:\Users\Admin\Desktop\Compilers\tinycc\tcc.exe" -Wall -Wl,-subsystem=windows "C:\Users\Admin\Desktop\ok.c" resource.o -lntdll
  2⤵
  - Executes dropped EXE
  PID:2980

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

C:\Users\Admin\Desktop\minneeer.exe
"C:\Users\Admin\Desktop\minneeer.exe"
1⤵
- Executes dropped EXE
PID:1100
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\minneeer.exe"
  2⤵
  - Drops file in System32 directory
  PID:1780
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4824
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:3836
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1364
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:1964
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:1348
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2572
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2320
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "/sihost32"
        7⤵
        
        PID:4736

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4608

C:\Users\Admin\Desktop\minneeer.exe
"C:\Users\Admin\Desktop\minneeer.exe"
1⤵
- Executes dropped EXE
PID:4884
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\minneeer.exe"
  2⤵
  - Drops file in System32 directory
  PID:1988
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1100
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "4736"
    3⤵
    PID:1368
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "4736"
      4⤵
      Kills process with taskkill
      PID:4928
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:2564
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3808
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:2444
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:4736
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2340
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "/sihost32"
        7⤵
        
        PID:3832

C:\Users\Admin\Desktop\minneeer-uninstaller.exe
"C:\Users\Admin\Desktop\minneeer-uninstaller.exe"
1⤵
- Executes dropped EXE
PID:3904
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" ""
  2⤵
  PID:4320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "services32" & exit
    3⤵
    PID:4688
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /f /tn "services32"
      4⤵
      PID:704
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "4736"
    3⤵
    PID:1504
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "4736"
      4⤵
      Kills process with taskkill
      PID:72

C:\Users\Admin\Desktop\ok.exe
"C:\Users\Admin\Desktop\ok.exe"
1⤵
- Executes dropped EXE
PID:1556
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\ok.exe"
  2⤵
  - Drops file in System32 directory
  PID:4128
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:2296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4868
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "lol" /tr "C:\Windows\system32\lol.exe"
    3⤵
    PID:1916
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "lol" /tr "C:\Windows\system32\lol.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1964
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\lol.exe"
    3⤵
    PID:1924
  - - C:\Windows\system32\lol.exe
      C:\Windows\system32\lol.exe
      4⤵
      Executes dropped EXE
      PID:2372
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\lol.exe"
        5⤵
        
        PID:2320
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2000

C:\Users\Admin\Desktop\minneeer.exe
"C:\Users\Admin\Desktop\minneeer.exe"
1⤵
- Executes dropped EXE
PID:2144
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\minneeer.exe"
  2⤵
  - Drops file in System32 directory
  PID:564
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:2100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5368
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "3832"
    3⤵
    PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "3832"
      4⤵
      Kills process with taskkill
      PID:5200
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:2184
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5140
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:4824
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:5208
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2320
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "/sihost32"
        7⤵
        
        PID:5888

C:\Users\Admin\Desktop\minneeer-uninstaller.exe
"C:\Users\Admin\Desktop\minneeer-uninstaller.exe"
1⤵
- Executes dropped EXE
PID:3700
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" ""
  2⤵
  PID:5024
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "services32" & exit
    3⤵
    PID:3388
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /f /tn "services32"
      4⤵
      PID:1472
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "3832"
    3⤵
    PID:1384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "3832"
      4⤵
      Kills process with taskkill
      PID:5192

C:\Users\Admin\Desktop\ok-uninstaller.exe
"C:\Users\Admin\Desktop\ok-uninstaller.exe"
1⤵
- Executes dropped EXE
PID:1488
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" ""
  2⤵
  PID:904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "lol" & exit
    3⤵
    PID:3612
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /f /tn "lol"
      4⤵
      PID:3400
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "3832"
    3⤵
    PID:4704
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "3832"
      4⤵
      Kills process with taskkill
      PID:5232

C:\Users\Admin\Desktop\ethminer.exe
"C:\Users\Admin\Desktop\ethminer.exe"
1⤵
- Executes dropped EXE
PID:2844
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\ethminer.exe"
  2⤵
  - Drops file in System32 directory
  PID:2256
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:4084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5376
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c taskkill /f /PID "3832"
    3⤵
    PID:1280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /PID "3832"
      4⤵
      Kills process with taskkill
      PID:5152
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
    3⤵
    PID:912
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5176
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services32.exe"
    3⤵
    PID:5144
  - - C:\Windows\system32\services32.exe
      C:\Windows\system32\services32.exe
      4⤵
      Executes dropped EXE
      PID:2368
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1216
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:3128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3680
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        
        PID:5460
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "/sihost32"
        7⤵
        
        PID:1936

C:\Users\Admin\Desktop\ok.exe
"C:\Users\Admin\Desktop\ok.exe"
1⤵
- Executes dropped EXE
PID:3724
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\Desktop\ok.exe"
  2⤵
  - Drops file in System32 directory
  PID:2596
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5384
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "lol" /tr "C:\Windows\system32\lol.exe"
    3⤵
    PID:2916
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "lol" /tr "C:\Windows\system32\lol.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5012
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\lol.exe"
    3⤵
    PID:6128
  - - C:\Windows\system32\lol.exe
      C:\Windows\system32\lol.exe
      4⤵
      Executes dropped EXE
      PID:2108
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\lol.exe"
        5⤵
        
        PID:5316
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5464

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery