redline | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FyBOjPNRsEmu9hyyka17XgpS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FyBOjPNRsEmu9hyyka17XgpS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FyBOjPNRsEmu9hyyka17XgpS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FyBOjPNRsEmu9hyyka17XgpS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ItWAr5S2pUv8PTeLhZuqzMVM.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (15).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (15).exe

Loads dropped DLL 56 IoCs

pid	Process
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1632	VMAdezTAvyqurGwNogekiAab.exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1528	Setup (15).exe
1632	VMAdezTAvyqurGwNogekiAab.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1672	icacls.exe
1672	icacls.exe

Themida packer 22 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral13/files/0x000300000001317a-69.dat	themida
behavioral13/files/0x0003000000013171-67.dat	themida
behavioral13/files/0x0003000000013171-81.dat	themida
behavioral13/files/0x000300000001317a-84.dat	themida
behavioral13/files/0x000300000001318d-123.dat	themida
behavioral13/files/0x000300000001318d-118.dat	themida
behavioral13/files/0x0003000000013195-139.dat	themida
behavioral13/files/0x0003000000013195-130.dat	themida
behavioral13/memory/1336-154-0x00000000003D0000-0x00000000003D1000-memory.dmp	themida
behavioral13/memory/1868-155-0x0000000000C60000-0x0000000000C61000-memory.dmp	themida
behavioral13/memory/1812-180-0x0000000001390000-0x0000000001391000-memory.dmp	themida
behavioral13/files/0x000300000001317a-69.dat	themida
behavioral13/files/0x0003000000013171-67.dat	themida
behavioral13/files/0x0003000000013171-81.dat	themida
behavioral13/files/0x000300000001317a-84.dat	themida
behavioral13/files/0x000300000001318d-123.dat	themida
behavioral13/files/0x000300000001318d-118.dat	themida
behavioral13/files/0x0003000000013195-139.dat	themida
behavioral13/files/0x0003000000013195-130.dat	themida
behavioral13/memory/1336-154-0x00000000003D0000-0x00000000003D1000-memory.dmp	themida
behavioral13/memory/1868-155-0x0000000000C60000-0x0000000000C61000-memory.dmp	themida
behavioral13/memory/1812-180-0x0000000001390000-0x0000000001391000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FyBOjPNRsEmu9hyyka17XgpS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hh6V5GehBR0eZnYutJsnNTYk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FyBOjPNRsEmu9hyyka17XgpS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 20 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
316	ipinfo.io
474	ipinfo.io
476	ipinfo.io
21	ipinfo.io
139	ipinfo.io
151	ip-api.com
307	ipinfo.io
448	api.2ip.ua
22	ipinfo.io
221	ipinfo.io
389	api.2ip.ua
434	ipinfo.io
473	ipinfo.io
144	ipinfo.io
222	ipinfo.io
321	ipinfo.io
387	api.2ip.ua
436	ipinfo.io
446	api.2ip.ua
505	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1336	ItWAr5S2pUv8PTeLhZuqzMVM.exe
1868	hh6V5GehBR0eZnYutJsnNTYk.exe
1812	FyBOjPNRsEmu9hyyka17XgpS.exe
1336	ItWAr5S2pUv8PTeLhZuqzMVM.exe
1868	hh6V5GehBR0eZnYutJsnNTYk.exe
1812	FyBOjPNRsEmu9hyyka17XgpS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3656	1104	WerFault.exe	50
3448	852	WerFault.exe	90
2532	2392	WerFault.exe	66
3568	2816	WerFault.exe	145
2308	3192	WerFault.exe	188
1108	3280	WerFault.exe	119
3656	1104	WerFault.exe	284
3448	852	WerFault.exe	324
2532	2392	WerFault.exe	300
3568	2816	WerFault.exe	379
2308	3192	WerFault.exe	422
1108	3280	WerFault.exe	353

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jN3XFLlLGgPGNK0obRdDDXkr.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2516	schtasks.exe
4220	schtasks.exe
2516	schtasks.exe
4220	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4492	timeout.exe
3492	timeout.exe
4492	timeout.exe
3492	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2704	taskkill.exe
3648	taskkill.exe
3756	taskkill.exe
2704	taskkill.exe
3648	taskkill.exe
3756	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (15).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (15).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (15).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (15).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (15).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (15).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (15).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (15).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (15).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (15).exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1776	PING.EXE
1776	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	320	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	435	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	438	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	475	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	506	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	143	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	146	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	306	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	Setup (15).exe
1528	Setup (15).exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	e_wZiDZBvI5cI3n5ujHES0Vr.exe
Token: SeDebugPrivilege	1708	Vz5wtW0pBiAoPTjea0cy4FDR.exe
Token: SeDebugPrivilege	1812	FyBOjPNRsEmu9hyyka17XgpS.exe
Token: SeDebugPrivilege	1336	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Token: SeDebugPrivilege	1384	zzBlROWSumAUtKJFkVYWdx9t.exe
Token: SeDebugPrivilege	1868	hh6V5GehBR0eZnYutJsnNTYk.exe
Token: SeDebugPrivilege	956	e_wZiDZBvI5cI3n5ujHES0Vr.exe
Token: SeDebugPrivilege	1708	Vz5wtW0pBiAoPTjea0cy4FDR.exe
Token: SeDebugPrivilege	1812	FyBOjPNRsEmu9hyyka17XgpS.exe
Token: SeDebugPrivilege	1336	ItWAr5S2pUv8PTeLhZuqzMVM.exe
Token: SeDebugPrivilege	1384	zzBlROWSumAUtKJFkVYWdx9t.exe
Token: SeDebugPrivilege	1868	hh6V5GehBR0eZnYutJsnNTYk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1384	1528	Setup (15).exe	31
PID 1528 wrote to memory of 1384	1528	Setup (15).exe	31
PID 1528 wrote to memory of 1384	1528	Setup (15).exe	31
PID 1528 wrote to memory of 1384	1528	Setup (15).exe	31
PID 1528 wrote to memory of 1264	1528	Setup (15).exe	36
PID 1528 wrote to memory of 1264	1528	Setup (15).exe	36
PID 1528 wrote to memory of 1264	1528	Setup (15).exe	36
PID 1528 wrote to memory of 1264	1528	Setup (15).exe	36
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1336	1528	Setup (15).exe	35
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1868	1528	Setup (15).exe	34
PID 1528 wrote to memory of 1708	1528	Setup (15).exe	33
PID 1528 wrote to memory of 1708	1528	Setup (15).exe	33
PID 1528 wrote to memory of 1708	1528	Setup (15).exe	33
PID 1528 wrote to memory of 1708	1528	Setup (15).exe	33
PID 1528 wrote to memory of 956	1528	Setup (15).exe	32
PID 1528 wrote to memory of 956	1528	Setup (15).exe	32
PID 1528 wrote to memory of 956	1528	Setup (15).exe	32
PID 1528 wrote to memory of 956	1528	Setup (15).exe	32
PID 1528 wrote to memory of 1656	1528	Setup (15).exe	38
PID 1528 wrote to memory of 1656	1528	Setup (15).exe	38
PID 1528 wrote to memory of 1656	1528	Setup (15).exe	38
PID 1528 wrote to memory of 1656	1528	Setup (15).exe	38
PID 1528 wrote to memory of 1036	1528	Setup (15).exe	37
PID 1528 wrote to memory of 1036	1528	Setup (15).exe	37
PID 1528 wrote to memory of 1036	1528	Setup (15).exe	37
PID 1528 wrote to memory of 1036	1528	Setup (15).exe	37
PID 1528 wrote to memory of 1512	1528	Setup (15).exe	42
PID 1528 wrote to memory of 1512	1528	Setup (15).exe	42
PID 1528 wrote to memory of 1512	1528	Setup (15).exe	42
PID 1528 wrote to memory of 1512	1528	Setup (15).exe	42
PID 1528 wrote to memory of 544	1528	Setup (15).exe	39
PID 1528 wrote to memory of 544	1528	Setup (15).exe	39
PID 1528 wrote to memory of 544	1528	Setup (15).exe	39
PID 1528 wrote to memory of 544	1528	Setup (15).exe	39
PID 1528 wrote to memory of 240	1528	Setup (15).exe	52
PID 1528 wrote to memory of 240	1528	Setup (15).exe	52
PID 1528 wrote to memory of 240	1528	Setup (15).exe	52
PID 1528 wrote to memory of 240	1528	Setup (15).exe	52
PID 1528 wrote to memory of 2044	1528	Setup (15).exe	51
PID 1528 wrote to memory of 2044	1528	Setup (15).exe	51
PID 1528 wrote to memory of 2044	1528	Setup (15).exe	51
PID 1528 wrote to memory of 2044	1528	Setup (15).exe	51
PID 1528 wrote to memory of 1104	1528	Setup (15).exe	50
PID 1528 wrote to memory of 1104	1528	Setup (15).exe	50
PID 1528 wrote to memory of 1104	1528	Setup (15).exe	50
PID 1528 wrote to memory of 1104	1528	Setup (15).exe	50
PID 1528 wrote to memory of 1220	1528	Setup (15).exe	49
PID 1528 wrote to memory of 1220	1528	Setup (15).exe	49
PID 1528 wrote to memory of 1220	1528	Setup (15).exe	49
PID 1528 wrote to memory of 1220	1528	Setup (15).exe	49
PID 1528 wrote to memory of 1812	1528	Setup (15).exe	48
PID 1528 wrote to memory of 1812	1528	Setup (15).exe	48

C:\Users\Admin\AppData\Local\Temp\Setup (15).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (15).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\Documents\zzBlROWSumAUtKJFkVYWdx9t.exe
  "C:\Users\Admin\Documents\zzBlROWSumAUtKJFkVYWdx9t.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Users\Admin\Documents\e_wZiDZBvI5cI3n5ujHES0Vr.exe
  "C:\Users\Admin\Documents\e_wZiDZBvI5cI3n5ujHES0Vr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- - C:\Users\Admin\AppData\Roaming\5758290.exe
    "C:\Users\Admin\AppData\Roaming\5758290.exe"
    3⤵
    - Executes dropped EXE
    PID:2392
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2392 -s 1740
      4⤵
      Program crash
      PID:2532
- - C:\Users\Admin\AppData\Roaming\6044921.exe
    "C:\Users\Admin\AppData\Roaming\6044921.exe"
    3⤵
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:2236
- C:\Users\Admin\Documents\Vz5wtW0pBiAoPTjea0cy4FDR.exe
  "C:\Users\Admin\Documents\Vz5wtW0pBiAoPTjea0cy4FDR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Users\Admin\Documents\hh6V5GehBR0eZnYutJsnNTYk.exe
  "C:\Users\Admin\Documents\hh6V5GehBR0eZnYutJsnNTYk.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Users\Admin\Documents\aUGmA5GhTyRz_LmYeXskwDvq.exe
  "C:\Users\Admin\Documents\aUGmA5GhTyRz_LmYeXskwDvq.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
  "C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe"
  2⤵
  - Executes dropped EXE
  PID:1264
- - C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
    C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
    3⤵
    PID:3056
- C:\Users\Admin\Documents\jN3XFLlLGgPGNK0obRdDDXkr.exe
  "C:\Users\Admin\Documents\jN3XFLlLGgPGNK0obRdDDXkr.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1036
- C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
  "C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe"
  2⤵
  - Executes dropped EXE
  PID:1656
- - C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    3⤵
    PID:3036
- - C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    3⤵
    PID:2168
- C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe
  "C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe"
  2⤵
  - Executes dropped EXE
  PID:544
- - C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe
    "C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe"
    3⤵
    PID:4076
- C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
  "C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe"
  2⤵
  - Executes dropped EXE
  PID:1512
- - C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
    C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
    3⤵
    PID:3028
- C:\Users\Admin\Documents\FyBOjPNRsEmu9hyyka17XgpS.exe
  "C:\Users\Admin\Documents\FyBOjPNRsEmu9hyyka17XgpS.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Users\Admin\Documents\7QDDf6tiHk6uopv5DEZYIjap.exe
  "C:\Users\Admin\Documents\7QDDf6tiHk6uopv5DEZYIjap.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Users\Admin\Documents\llQj5weywNSNnTe2YDxVN6RI.exe
  "C:\Users\Admin\Documents\llQj5weywNSNnTe2YDxVN6RI.exe"
  2⤵
  - Executes dropped EXE
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 888
    3⤵
    - Program crash
    PID:3656
- C:\Users\Admin\Documents\ITCvR79WOX9SjcIxlSzUHSef.exe
  "C:\Users\Admin\Documents\ITCvR79WOX9SjcIxlSzUHSef.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe
  "C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe"
  2⤵
  - Executes dropped EXE
  PID:240
- - C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe
    "C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe" -q
    3⤵
    - Executes dropped EXE
    PID:2292
- C:\Users\Admin\Documents\SG2hNfyIOWdflyWJKD1EdWpw.exe
  "C:\Users\Admin\Documents\SG2hNfyIOWdflyWJKD1EdWpw.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe
  "C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe"
  2⤵
  - Executes dropped EXE
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "0C01piUpZzijT9W_Xv3if3uy.exe" /f & erase "C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe" & exit
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "0C01piUpZzijT9W_Xv3if3uy.exe" /f
      4⤵
      Kills process with taskkill
      PID:2704
- C:\Users\Admin\Documents\twZjRDPUrLRJsrdU_9Mn09_y.exe
  "C:\Users\Admin\Documents\twZjRDPUrLRJsrdU_9Mn09_y.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3892
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2900
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    PID:2920
- C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe
  "C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\is-EAJ8H.tmp\VMAdezTAvyqurGwNogekiAab.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EAJ8H.tmp\VMAdezTAvyqurGwNogekiAab.tmp" /SL5="$10176,138429,56832,C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe"
    3⤵
    - Executes dropped EXE
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\is-G4HPS.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-G4HPS.tmp\Setup.exe" /Verysilent
      4⤵
      PID:1984
    - - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
        5⤵
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im LGCH2-401_2021-08-18_14-40.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im LGCH2-401_2021-08-18_14-40.exe /f
        7⤵
        Kills process with taskkill
        
        PID:3648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:3492
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274510 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:3744
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\is-020K0.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-020K0.tmp\WEATHER Manager.tmp" /SL5="$10282,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        
        PID:476
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        
        PID:616
      - C:\Users\Admin\AppData\Local\Temp\is-KFRHF.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KFRHF.tmp\VPN.tmp" /SL5="$10288,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        
        PID:656
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\is-UCVRF.tmp\Inlog.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UCVRF.tmp\Inlog.tmp" /SL5="$1027C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        6⤵
        
        PID:3008
    - - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
        5⤵
        
        PID:2500
    - - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        5⤵
        
        PID:852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1324
        6⤵
        Program crash
        
        PID:3448
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\is-RLP3J.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RLP3J.tmp\MediaBurner2.tmp" /SL5="$20176,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\is-RQC41.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RQC41.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        7⤵
        
        PID:3708
        
        C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\is-SSC5K.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SSC5K.tmp\ultramediaburner.tmp" /SL5="$103D8,281924,62464,C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:280
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\34-08065-dc5-e5d88-bcc0b132433dd\Lelebibaesi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\34-08065-dc5-e5d88-bcc0b132433dd\Lelebibaesi.exe"
        8⤵
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:3992
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\260167812.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260167812.exe"
        11⤵
        
        PID:2124
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:340994 /prefetch:2
        10⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\e6-306e9-bc8-5cc86-5eeb0eb6f355f\Hishaekujola.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e6-306e9-bc8-5cc86-5eeb0eb6f355f\Hishaekujola.exe"
        8⤵
        
        PID:3352
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:804
      - C:\Users\Admin\AppData\Roaming\4818658.exe
        
        "C:\Users\Admin\AppData\Roaming\4818658.exe"
        6⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Roaming\5998488.exe
        
        "C:\Users\Admin\AppData\Roaming\5998488.exe"
        6⤵
        
        PID:3028
      - C:\Users\Admin\AppData\Roaming\8951123.exe
        
        "C:\Users\Admin\AppData\Roaming\8951123.exe"
        6⤵
        
        PID:3040
      - C:\Users\Admin\AppData\Roaming\2907842.exe
        
        "C:\Users\Admin\AppData\Roaming\2907842.exe"
        6⤵
        
        PID:3268
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        
        PID:2300
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:3676
    - - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
        5⤵
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\tmpF3D_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF3D_tmp.exe"
        6⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        7⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        9⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        9⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping MRBKYMNO -n 30
        9⤵
        Runs ping.exe
        
        PID:1776
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        
        PID:3096
      - C:\Users\Admin\Documents\HqLjJHDlp16O7fstIWyZ4gME.exe
        
        "C:\Users\Admin\Documents\HqLjJHDlp16O7fstIWyZ4gME.exe"
        6⤵
        
        PID:3524
      - C:\Users\Admin\Documents\KTvSpwR4c2I1J04BSHjsKJtl.exe
        
        "C:\Users\Admin\Documents\KTvSpwR4c2I1J04BSHjsKJtl.exe"
        6⤵
        
        PID:3496
      - C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        
        "C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe"
        6⤵
        
        PID:3592
        
        C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        
        C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        7⤵
        
        PID:3312
      - C:\Users\Admin\Documents\zMUGxai64ZwEEMSwuZJPZCiG.exe
        
        "C:\Users\Admin\Documents\zMUGxai64ZwEEMSwuZJPZCiG.exe"
        6⤵
        
        PID:3564
      - C:\Users\Admin\Documents\H_C3eVGXMlIGdKQRG45DJ_pd.exe
        
        "C:\Users\Admin\Documents\H_C3eVGXMlIGdKQRG45DJ_pd.exe"
        6⤵
        
        PID:3608
      - C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        "C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe"
        6⤵
        
        PID:2780
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        7⤵
        
        PID:2176
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        7⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
      - C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe
        
        "C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe"
        6⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\is-7GTKH.tmp\IbP9pOc3nDt97jyJEyQbZvr6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7GTKH.tmp\IbP9pOc3nDt97jyJEyQbZvr6.tmp" /SL5="$600E8,138429,56832,C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe"
        7⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\is-8BBLQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8BBLQ.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:616
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        9⤵
        
        PID:3684
      - C:\Users\Admin\Documents\a1FFXrcFGxZF73Hu5zscXD4r.exe
        
        "C:\Users\Admin\Documents\a1FFXrcFGxZF73Hu5zscXD4r.exe"
        6⤵
        
        PID:3548
      - C:\Users\Admin\Documents\GE2dmPT8XfEH_UMw1T00auvA.exe
        
        "C:\Users\Admin\Documents\GE2dmPT8XfEH_UMw1T00auvA.exe"
        6⤵
        
        PID:3484
      - C:\Users\Admin\Documents\foRa0fxHPD9EhdaaIlFtNFFz.exe
        
        "C:\Users\Admin\Documents\foRa0fxHPD9EhdaaIlFtNFFz.exe"
        6⤵
        
        PID:3212
      - C:\Users\Admin\Documents\pGJzsUdAt52GN2pgFoSzZJJT.exe
        
        "C:\Users\Admin\Documents\pGJzsUdAt52GN2pgFoSzZJJT.exe"
        6⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1320
        7⤵
        Program crash
        
        PID:1108
      - C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        
        "C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe"
        6⤵
        
        PID:3372
        
        C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        
        C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        7⤵
        
        PID:1912
      - C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe
        
        "C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe"
        6⤵
        
        PID:3328
        
        C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe
        
        "C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe"
        7⤵
        
        PID:3432
      - C:\Users\Admin\Documents\WvjwinKX_TbgBrf9CwDvOgl3.exe
        
        "C:\Users\Admin\Documents\WvjwinKX_TbgBrf9CwDvOgl3.exe"
        6⤵
        
        PID:3844
      - C:\Users\Admin\Documents\Xl5R9NrjUbgABwl_SDhhBA25.exe
        
        "C:\Users\Admin\Documents\Xl5R9NrjUbgABwl_SDhhBA25.exe"
        6⤵
        
        PID:3428
      - C:\Users\Admin\Documents\_4gxVUfXK_s4oHIozMHWidqW.exe
        
        "C:\Users\Admin\Documents\_4gxVUfXK_s4oHIozMHWidqW.exe"
        6⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\2138107.exe
        
        "C:\Users\Admin\AppData\Roaming\2138107.exe"
        7⤵
        
        PID:2816
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2816 -s 1596
        8⤵
        Program crash
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\7896708.exe
        
        "C:\Users\Admin\AppData\Roaming\7896708.exe"
        7⤵
        
        PID:2684
      - C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe
        
        "C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe"
        6⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "w35Hs1bL7aCRvsVGNs7YSEj8.exe" /f & erase "C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe" & exit
        7⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "w35Hs1bL7aCRvsVGNs7YSEj8.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:3756
      - C:\Users\Admin\Documents\Mg0cOmopD33TOr7hTWvfKYtp.exe
        
        "C:\Users\Admin\Documents\Mg0cOmopD33TOr7hTWvfKYtp.exe"
        6⤵
        
        PID:3208
      - C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe
        
        "C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe"
        6⤵
        
        PID:3920
        
        C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe
        
        "C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe" -q
        7⤵
        
        PID:3752

C:\Users\Admin\AppData\Local\Temp\is-UCVRF.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UCVRF.tmp\Inlog.tmp" /SL5="$1027C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\6DEF.exe
C:\Users\Admin\AppData\Local\Temp\6DEF.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\6DEF.exe
  C:\Users\Admin\AppData\Local\Temp\6DEF.exe
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\6DEF.exe
    "C:\Users\Admin\AppData\Local\Temp\6DEF.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\6DEF.exe
      "C:\Users\Admin\AppData\Local\Temp\6DEF.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2336
    - - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe"
        5⤵
        
        PID:2984
      - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe"
        6⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 896
        7⤵
        Program crash
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe"
        5⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe"
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2516

C:\Users\Admin\AppData\Local\Temp\A4B9.exe
C:\Users\Admin\AppData\Local\Temp\A4B9.exe
1⤵
PID:3936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C51F3D7E1BA5FD9DB8E0F9100DE0E26 C
  2⤵
  PID:3532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD6C17516BB663D9A418B257A5C934C2
  2⤵
  PID:1912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F84231D014F08C564222745E0E03DCBB C
  2⤵
  PID:4944

C:\Users\Admin\AppData\Local\Temp\C822.exe
C:\Users\Admin\AppData\Local\Temp\C822.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2C2.exe
C:\Users\Admin\AppData\Local\Temp\2C2.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\9CD0.exe
C:\Users\Admin\AppData\Local\Temp\9CD0.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\kg3CGktBeq.exe
  "C:\Users\Admin\AppData\Local\Temp\kg3CGktBeq.exe"
  2⤵
  PID:368
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9CD0.exe"
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4492
- C:\Users\Admin\AppData\Local\Temp\ZoiMDjODBS.exe
  "C:\Users\Admin\AppData\Local\Temp\ZoiMDjODBS.exe"
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:4300

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\taskeng.exe
taskeng.exe {5E32E180-3C30-4A79-AFCD-AC355F553CAC} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99\6DEF.exe
  C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99\6DEF.exe --Task
  2⤵
  PID:4228
- C:\Users\Admin\AppData\Roaming\jchwarj
  C:\Users\Admin\AppData\Roaming\jchwarj
  2⤵
  PID:4264

C:\Users\Admin\AppData\Local\Temp\Setup (15).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (15).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1528
- C:\Users\Admin\Documents\zzBlROWSumAUtKJFkVYWdx9t.exe
  "C:\Users\Admin\Documents\zzBlROWSumAUtKJFkVYWdx9t.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Users\Admin\Documents\e_wZiDZBvI5cI3n5ujHES0Vr.exe
  "C:\Users\Admin\Documents\e_wZiDZBvI5cI3n5ujHES0Vr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- - C:\Users\Admin\AppData\Roaming\5758290.exe
    "C:\Users\Admin\AppData\Roaming\5758290.exe"
    3⤵
    - Executes dropped EXE
    PID:2392
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2392 -s 1740
      4⤵
      Program crash
      PID:2532
- - C:\Users\Admin\AppData\Roaming\6044921.exe
    "C:\Users\Admin\AppData\Roaming\6044921.exe"
    3⤵
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:2236
- C:\Users\Admin\Documents\Vz5wtW0pBiAoPTjea0cy4FDR.exe
  "C:\Users\Admin\Documents\Vz5wtW0pBiAoPTjea0cy4FDR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Users\Admin\Documents\hh6V5GehBR0eZnYutJsnNTYk.exe
  "C:\Users\Admin\Documents\hh6V5GehBR0eZnYutJsnNTYk.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Users\Admin\Documents\aUGmA5GhTyRz_LmYeXskwDvq.exe
  "C:\Users\Admin\Documents\aUGmA5GhTyRz_LmYeXskwDvq.exe"
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
  "C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe"
  2⤵
  - Executes dropped EXE
  PID:1264
- - C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
    C:\Users\Admin\Documents\Bia420ugUKri_wnCTfXHntNi.exe
    3⤵
    PID:3056
- C:\Users\Admin\Documents\jN3XFLlLGgPGNK0obRdDDXkr.exe
  "C:\Users\Admin\Documents\jN3XFLlLGgPGNK0obRdDDXkr.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1036
- C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
  "C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe"
  2⤵
  - Executes dropped EXE
  PID:1656
- - C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    3⤵
    PID:3036
- - C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    C:\Users\Admin\Documents\UBOkY2WTZJNSaNvgEjQ204Gi.exe
    3⤵
    PID:2168
- C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe
  "C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe"
  2⤵
  - Executes dropped EXE
  PID:544
- - C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe
    "C:\Users\Admin\Documents\qwOSNLCcAkt3lGTqdoRjNIUZ.exe"
    3⤵
    PID:4076
- C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
  "C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe"
  2⤵
  - Executes dropped EXE
  PID:1512
- - C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
    C:\Users\Admin\Documents\7A_laG0YRHZc9UDiTtzvDv1f.exe
    3⤵
    PID:3028
- C:\Users\Admin\Documents\FyBOjPNRsEmu9hyyka17XgpS.exe
  "C:\Users\Admin\Documents\FyBOjPNRsEmu9hyyka17XgpS.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Users\Admin\Documents\7QDDf6tiHk6uopv5DEZYIjap.exe
  "C:\Users\Admin\Documents\7QDDf6tiHk6uopv5DEZYIjap.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Users\Admin\Documents\llQj5weywNSNnTe2YDxVN6RI.exe
  "C:\Users\Admin\Documents\llQj5weywNSNnTe2YDxVN6RI.exe"
  2⤵
  - Executes dropped EXE
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 888
    3⤵
    - Program crash
    PID:3656
- C:\Users\Admin\Documents\ITCvR79WOX9SjcIxlSzUHSef.exe
  "C:\Users\Admin\Documents\ITCvR79WOX9SjcIxlSzUHSef.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe
  "C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe"
  2⤵
  - Executes dropped EXE
  PID:240
- - C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe
    "C:\Users\Admin\Documents\c5j5c0QGDgQVNhuu0qMQ74q1.exe" -q
    3⤵
    - Executes dropped EXE
    PID:2292
- C:\Users\Admin\Documents\SG2hNfyIOWdflyWJKD1EdWpw.exe
  "C:\Users\Admin\Documents\SG2hNfyIOWdflyWJKD1EdWpw.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe
  "C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe"
  2⤵
  - Executes dropped EXE
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "0C01piUpZzijT9W_Xv3if3uy.exe" /f & erase "C:\Users\Admin\Documents\0C01piUpZzijT9W_Xv3if3uy.exe" & exit
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "0C01piUpZzijT9W_Xv3if3uy.exe" /f
      4⤵
      Kills process with taskkill
      PID:2704
- C:\Users\Admin\Documents\twZjRDPUrLRJsrdU_9Mn09_y.exe
  "C:\Users\Admin\Documents\twZjRDPUrLRJsrdU_9Mn09_y.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3892
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2900
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    PID:2920
- C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe
  "C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\is-EAJ8H.tmp\VMAdezTAvyqurGwNogekiAab.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EAJ8H.tmp\VMAdezTAvyqurGwNogekiAab.tmp" /SL5="$10176,138429,56832,C:\Users\Admin\Documents\VMAdezTAvyqurGwNogekiAab.exe"
    3⤵
    - Executes dropped EXE
    PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\is-G4HPS.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-G4HPS.tmp\Setup.exe" /Verysilent
      4⤵
      PID:1984
    - - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
        5⤵
        
        PID:1108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im LGCH2-401_2021-08-18_14-40.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im LGCH2-401_2021-08-18_14-40.exe /f
        7⤵
        Kills process with taskkill
        
        PID:3648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:3492
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274510 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:3744
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\is-020K0.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-020K0.tmp\WEATHER Manager.tmp" /SL5="$10282,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        
        PID:476
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        
        PID:616
      - C:\Users\Admin\AppData\Local\Temp\is-KFRHF.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KFRHF.tmp\VPN.tmp" /SL5="$10288,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        
        PID:656
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        
        PID:556
    - - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
        5⤵
        
        PID:2500
    - - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        5⤵
        
        PID:852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1324
        6⤵
        Program crash
        
        PID:3448
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\is-RLP3J.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RLP3J.tmp\MediaBurner2.tmp" /SL5="$20176,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\is-RQC41.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RQC41.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        7⤵
        
        PID:3708
        
        C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\is-SSC5K.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SSC5K.tmp\ultramediaburner.tmp" /SL5="$103D8,281924,62464,C:\Program Files\Windows Mail\IBCFXKOELS\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:280
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\34-08065-dc5-e5d88-bcc0b132433dd\Lelebibaesi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\34-08065-dc5-e5d88-bcc0b132433dd\Lelebibaesi.exe"
        8⤵
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:3992
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\260167812.exe
        
        "C:\Users\Admin\AppData\Local\Temp\260167812.exe"
        11⤵
        
        PID:2124
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:340994 /prefetch:2
        10⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\e6-306e9-bc8-5cc86-5eeb0eb6f355f\Hishaekujola.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e6-306e9-bc8-5cc86-5eeb0eb6f355f\Hishaekujola.exe"
        8⤵
        
        PID:3352
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:804
      - C:\Users\Admin\AppData\Roaming\4818658.exe
        
        "C:\Users\Admin\AppData\Roaming\4818658.exe"
        6⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Roaming\5998488.exe
        
        "C:\Users\Admin\AppData\Roaming\5998488.exe"
        6⤵
        
        PID:3028
      - C:\Users\Admin\AppData\Roaming\8951123.exe
        
        "C:\Users\Admin\AppData\Roaming\8951123.exe"
        6⤵
        
        PID:3040
      - C:\Users\Admin\AppData\Roaming\2907842.exe
        
        "C:\Users\Admin\AppData\Roaming\2907842.exe"
        6⤵
        
        PID:3268
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        
        PID:2300
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:3676
    - - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
        5⤵
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\tmpF3D_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF3D_tmp.exe"
        6⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        7⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        9⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        9⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping MRBKYMNO -n 30
        9⤵
        Runs ping.exe
        
        PID:1776
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        
        PID:3096
      - C:\Users\Admin\Documents\HqLjJHDlp16O7fstIWyZ4gME.exe
        
        "C:\Users\Admin\Documents\HqLjJHDlp16O7fstIWyZ4gME.exe"
        6⤵
        
        PID:3524
      - C:\Users\Admin\Documents\KTvSpwR4c2I1J04BSHjsKJtl.exe
        
        "C:\Users\Admin\Documents\KTvSpwR4c2I1J04BSHjsKJtl.exe"
        6⤵
        
        PID:3496
      - C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        
        "C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe"
        6⤵
        
        PID:3592
        
        C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        
        C:\Users\Admin\Documents\949vPo5z7m0veFFMj0tFZt9p.exe
        7⤵
        
        PID:3312
      - C:\Users\Admin\Documents\zMUGxai64ZwEEMSwuZJPZCiG.exe
        
        "C:\Users\Admin\Documents\zMUGxai64ZwEEMSwuZJPZCiG.exe"
        6⤵
        
        PID:3564
      - C:\Users\Admin\Documents\H_C3eVGXMlIGdKQRG45DJ_pd.exe
        
        "C:\Users\Admin\Documents\H_C3eVGXMlIGdKQRG45DJ_pd.exe"
        6⤵
        
        PID:3608
      - C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        "C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe"
        6⤵
        
        PID:2780
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        7⤵
        
        PID:2176
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        
        C:\Users\Admin\Documents\ItWAr5S2pUv8PTeLhZuqzMVM.exe
        7⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
      - C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe
        
        "C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe"
        6⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\is-7GTKH.tmp\IbP9pOc3nDt97jyJEyQbZvr6.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7GTKH.tmp\IbP9pOc3nDt97jyJEyQbZvr6.tmp" /SL5="$600E8,138429,56832,C:\Users\Admin\Documents\IbP9pOc3nDt97jyJEyQbZvr6.exe"
        7⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\is-8BBLQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8BBLQ.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:616
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        9⤵
        
        PID:3684
      - C:\Users\Admin\Documents\a1FFXrcFGxZF73Hu5zscXD4r.exe
        
        "C:\Users\Admin\Documents\a1FFXrcFGxZF73Hu5zscXD4r.exe"
        6⤵
        
        PID:3548
      - C:\Users\Admin\Documents\GE2dmPT8XfEH_UMw1T00auvA.exe
        
        "C:\Users\Admin\Documents\GE2dmPT8XfEH_UMw1T00auvA.exe"
        6⤵
        
        PID:3484
      - C:\Users\Admin\Documents\foRa0fxHPD9EhdaaIlFtNFFz.exe
        
        "C:\Users\Admin\Documents\foRa0fxHPD9EhdaaIlFtNFFz.exe"
        6⤵
        
        PID:3212
      - C:\Users\Admin\Documents\pGJzsUdAt52GN2pgFoSzZJJT.exe
        
        "C:\Users\Admin\Documents\pGJzsUdAt52GN2pgFoSzZJJT.exe"
        6⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1320
        7⤵
        Program crash
        
        PID:1108
      - C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        
        "C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe"
        6⤵
        
        PID:3372
        
        C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        
        C:\Users\Admin\Documents\pX_fXD6jb5LCobiAUuClcbK_.exe
        7⤵
        
        PID:1912
      - C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe
        
        "C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe"
        6⤵
        
        PID:3328
        
        C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe
        
        "C:\Users\Admin\Documents\oXnj1nEmIfsIowiY0yFCLwdb.exe"
        7⤵
        
        PID:3432
      - C:\Users\Admin\Documents\WvjwinKX_TbgBrf9CwDvOgl3.exe
        
        "C:\Users\Admin\Documents\WvjwinKX_TbgBrf9CwDvOgl3.exe"
        6⤵
        
        PID:3844
      - C:\Users\Admin\Documents\Xl5R9NrjUbgABwl_SDhhBA25.exe
        
        "C:\Users\Admin\Documents\Xl5R9NrjUbgABwl_SDhhBA25.exe"
        6⤵
        
        PID:3428
      - C:\Users\Admin\Documents\_4gxVUfXK_s4oHIozMHWidqW.exe
        
        "C:\Users\Admin\Documents\_4gxVUfXK_s4oHIozMHWidqW.exe"
        6⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\2138107.exe
        
        "C:\Users\Admin\AppData\Roaming\2138107.exe"
        7⤵
        
        PID:2816
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2816 -s 1596
        8⤵
        Program crash
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\7896708.exe
        
        "C:\Users\Admin\AppData\Roaming\7896708.exe"
        7⤵
        
        PID:2684
      - C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe
        
        "C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe"
        6⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "w35Hs1bL7aCRvsVGNs7YSEj8.exe" /f & erase "C:\Users\Admin\Documents\w35Hs1bL7aCRvsVGNs7YSEj8.exe" & exit
        7⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "w35Hs1bL7aCRvsVGNs7YSEj8.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:3756
      - C:\Users\Admin\Documents\Mg0cOmopD33TOr7hTWvfKYtp.exe
        
        "C:\Users\Admin\Documents\Mg0cOmopD33TOr7hTWvfKYtp.exe"
        6⤵
        
        PID:3208
      - C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe
        
        "C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe"
        6⤵
        
        PID:3920
        
        C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe
        
        "C:\Users\Admin\Documents\JdHy1goYOeVLk5Q7kRCgHJSq.exe" -q
        7⤵
        
        PID:3752

C:\Users\Admin\AppData\Local\Temp\6DEF.exe
C:\Users\Admin\AppData\Local\Temp\6DEF.exe
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\6DEF.exe
  C:\Users\Admin\AppData\Local\Temp\6DEF.exe
  2⤵
  PID:2960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\6DEF.exe
    "C:\Users\Admin\AppData\Local\Temp\6DEF.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\6DEF.exe
      "C:\Users\Admin\AppData\Local\Temp\6DEF.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:2336
    - - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe"
        5⤵
        
        PID:2984
      - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build2.exe"
        6⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 896
        7⤵
        Program crash
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe"
        5⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe
        
        "C:\Users\Admin\AppData\Local\81db7b04-a5e0-409c-b1e0-280e5bb86de4\build3.exe"
        6⤵
        
        PID:2284

C:\Users\Admin\AppData\Local\Temp\A4B9.exe
C:\Users\Admin\AppData\Local\Temp\A4B9.exe
1⤵
PID:3936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5C51F3D7E1BA5FD9DB8E0F9100DE0E26 C
  2⤵
  PID:3532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD6C17516BB663D9A418B257A5C934C2
  2⤵
  PID:1912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F84231D014F08C564222745E0E03DCBB C
  2⤵
  PID:4944

C:\Users\Admin\AppData\Local\Temp\C822.exe
C:\Users\Admin\AppData\Local\Temp\C822.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\2C2.exe
C:\Users\Admin\AppData\Local\Temp\2C2.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\9CD0.exe
C:\Users\Admin\AppData\Local\Temp\9CD0.exe
1⤵
PID:3644
- C:\Users\Admin\AppData\Local\Temp\kg3CGktBeq.exe
  "C:\Users\Admin\AppData\Local\Temp\kg3CGktBeq.exe"
  2⤵
  PID:368
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9CD0.exe"
  2⤵
  PID:4104
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4492
- C:\Users\Admin\AppData\Local\Temp\ZoiMDjODBS.exe
  "C:\Users\Admin\AppData\Local\Temp\ZoiMDjODBS.exe"
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:4300

C:\Windows\system32\taskeng.exe
taskeng.exe {5E32E180-3C30-4A79-AFCD-AC355F553CAC} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99\6DEF.exe
  C:\Users\Admin\AppData\Local\b354c246-375e-4735-a329-c440bb06fa99\6DEF.exe --Task
  2⤵
  PID:4228
- C:\Users\Admin\AppData\Roaming\jchwarj
  C:\Users\Admin\AppData\Roaming\jchwarj
  2⤵
  PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery