redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3555919.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7719473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7719473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3555919.exe

Loads dropped DLL 32 IoCs

pid	Process
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
5016	setup_install.exe
1200	Tue11b9d76a96506.tmp
5916	setup_2.tmp
4780	rundll32.exe
3328	setup_2.tmp
1872	rundll32.exe
3212	installer.exe
3212	installer.exe
3212	installer.exe
5056	rundll32.exe
5424	MsiExec.exe
5424	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
3212	installer.exe
2644	MsiExec.exe
2644	MsiExec.exe
1444	MsiExec.exe
1444	MsiExec.exe
2644	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral5/files/0x000500000002b1ca-305.dat	themida
behavioral5/files/0x000500000002b1ca-316.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	8602585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Lumipaelewe.exe\""	GcleanerEU.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3555919.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7719473.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5724	3555919.exe
5284	7719473.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 724 set thread context of 2600	724	Tue11e4e580f2e8141a3.exe	105
PID 724 set thread context of 5564	724	Tue11e4e580f2e8141a3.exe	123
PID 724 set thread context of 6116	724	Tue11e4e580f2e8141a3.exe	132
PID 724 set thread context of 3656	724	Tue11e4e580f2e8141a3.exe	146
PID 724 set thread context of 4764	724	Tue11e4e580f2e8141a3.exe	153
PID 724 set thread context of 4296	724	Tue11e4e580f2e8141a3.exe	157
PID 724 set thread context of 5584	724	Tue11e4e580f2e8141a3.exe	158
PID 724 set thread context of 5468	724	Tue11e4e580f2e8141a3.exe	162
PID 724 set thread context of 5308	724	Tue11e4e580f2e8141a3.exe	167
PID 724 set thread context of 5472	724	Tue11e4e580f2e8141a3.exe	176
PID 724 set thread context of 4736	724	Tue11e4e580f2e8141a3.exe	182
PID 724 set thread context of 828	724	Tue11e4e580f2e8141a3.exe	187
PID 724 set thread context of 4744	724	Tue11e4e580f2e8141a3.exe	188
PID 724 set thread context of 6044	724	Tue11e4e580f2e8141a3.exe	190
PID 724 set thread context of 5616	724	Tue11e4e580f2e8141a3.exe	203
PID 724 set thread context of 2220	724	Tue11e4e580f2e8141a3.exe	217
PID 724 set thread context of 5732	724	Tue11e4e580f2e8141a3.exe	224
PID 724 set thread context of 3900	724	Tue11e4e580f2e8141a3.exe	228
PID 724 set thread context of 4644	724	Tue11e4e580f2e8141a3.exe	235
PID 724 set thread context of 1040	724	Tue11e4e580f2e8141a3.exe	236
PID 2404 set thread context of 5400	2404	services64.exe	244
PID 724 set thread context of 5024	724	Tue11e4e580f2e8141a3.exe	245
PID 724 set thread context of 2820	724	Tue11e4e580f2e8141a3.exe	247
PID 724 set thread context of 6208	724	Tue11e4e580f2e8141a3.exe	251
PID 724 set thread context of 6784	724	Tue11e4e580f2e8141a3.exe	252
PID 724 set thread context of 6404	724	Tue11e4e580f2e8141a3.exe	256
PID 724 set thread context of 6912	724	Tue11e4e580f2e8141a3.exe	257
PID 724 set thread context of 6536	724	Tue11e4e580f2e8141a3.exe	260
PID 724 set thread context of 3160	724	Tue11e4e580f2e8141a3.exe	261
PID 724 set thread context of 1364	724	Tue11e4e580f2e8141a3.exe	263
PID 724 set thread context of 6576	724	Tue11e4e580f2e8141a3.exe	266
PID 724 set thread context of 6200	724	Tue11e4e580f2e8141a3.exe	268
PID 724 set thread context of 6604	724	Tue11e4e580f2e8141a3.exe	269
PID 724 set thread context of 2028	724	Tue11e4e580f2e8141a3.exe	271
PID 724 set thread context of 6572	724	Tue11e4e580f2e8141a3.exe	272
PID 724 set thread context of 2012	724	Tue11e4e580f2e8141a3.exe	273
PID 724 set thread context of 6076	724	Tue11e4e580f2e8141a3.exe	274
PID 724 set thread context of 6400	724	Tue11e4e580f2e8141a3.exe	276
PID 724 set thread context of 6716	724	Tue11e4e580f2e8141a3.exe	277
PID 724 set thread context of 4068	724	Tue11e4e580f2e8141a3.exe	279
PID 724 set thread context of 3204	724	Tue11e4e580f2e8141a3.exe	281
PID 724 set thread context of 5220	724	Tue11e4e580f2e8141a3.exe	283
PID 724 set thread context of 2836	724	Tue11e4e580f2e8141a3.exe	284
PID 724 set thread context of 6840	724	Tue11e4e580f2e8141a3.exe	285
PID 724 set thread context of 6748	724	Tue11e4e580f2e8141a3.exe	289
PID 724 set thread context of 4376	724	Tue11e4e580f2e8141a3.exe	292
PID 724 set thread context of 6300	724	Tue11e4e580f2e8141a3.exe	293
PID 724 set thread context of 6640	724	Tue11e4e580f2e8141a3.exe	294
PID 724 set thread context of 5008	724	Tue11e4e580f2e8141a3.exe	295
PID 724 set thread context of 5044	724	Tue11e4e580f2e8141a3.exe	297
PID 724 set thread context of 1672	724	Tue11e4e580f2e8141a3.exe	300
PID 724 set thread context of 6624	724	Tue11e4e580f2e8141a3.exe	301
PID 724 set thread context of 6348	724	Tue11e4e580f2e8141a3.exe	304
PID 724 set thread context of 4724	724	Tue11e4e580f2e8141a3.exe	305
PID 724 set thread context of 3252	724	Tue11e4e580f2e8141a3.exe	306
PID 724 set thread context of 5100	724	Tue11e4e580f2e8141a3.exe	310
PID 724 set thread context of 6544	724	Tue11e4e580f2e8141a3.exe	312
PID 724 set thread context of 6448	724	Tue11e4e580f2e8141a3.exe	313
PID 724 set thread context of 4968	724	Tue11e4e580f2e8141a3.exe	314
PID 724 set thread context of 6752	724	Tue11e4e580f2e8141a3.exe	315
PID 724 set thread context of 7128	724	Tue11e4e580f2e8141a3.exe	316
PID 724 set thread context of 3084	724	Tue11e4e580f2e8141a3.exe	317
PID 724 set thread context of 3988	724	Tue11e4e580f2e8141a3.exe	318
PID 724 set thread context of 3600	724	Tue11e4e580f2e8141a3.exe	320

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-NN3I8.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Lumipaelewe.exe	GcleanerEU.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\MSBuild\DTJQVCDAZX\ultramediaburner.exe	GcleanerEU.exe
File created	C:\Program Files\MSBuild\DTJQVCDAZX\ultramediaburner.exe.config	GcleanerEU.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-LL8NJ.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-QQVB5.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Lumipaelewe.exe.config	GcleanerEU.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f74bde7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE368.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE54D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDAA1B1229DD9C711.TMP	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIECF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF503.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC00A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC645.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID127.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74bde7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC85A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC4A8EBB21FFE8B66.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB0D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC450.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID00C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE89B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA526EF3C6F79BD6F.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA92C4A82B500C6C4.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
1100	3728	WerFault.exe	95
2916	4640	WerFault.exe	100
3008	5068	WerFault.exe	104
5556	4780	WerFault.exe	137
5804	1552	WerFault.exe	103
2916	5404	WerFault.exe	121
3804	5316	WerFault.exe	119
4640	1872	WerFault.exe	160
568	3896	WerFault.exe	113
1176	5384	WerFault.exe	138
3448	5960	WerFault.exe	148
5748	5628	WerFault.exe	156
3124	5136	WerFault.exe	192
2964	5056	WerFault.exe	221
6072	6132	WerFault.exe	218
2512	3160	WerFault.exe	261
7100	5008	WerFault.exe	295
2608	1672	WerFault.exe	300
6648	6700	WerFault.exe	332
5484	6952	WerFault.exe	355
2208	3252	WerFault.exe	368
3624	2916	WerFault.exe	381
4856	5844	WerFault.exe	394
832	3164	WerFault.exe	402
5128	1412	WerFault.exe	408

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5340	schtasks.exe
1904	schtasks.exe

Enumerates system info in registry 2 TTPs 51 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5572	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\8\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe
4744	Tue11e4e580f2e8141a3.exe
1100	WerFault.exe
1100	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
5556	WerFault.exe
5556	WerFault.exe
5804	WerFault.exe
5804	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
3804	WerFault.exe
3804	WerFault.exe
3328	setup_2.tmp
3328	setup_2.tmp
3896	msedge.exe
3896	msedge.exe
4640	WerFault.exe
4640	WerFault.exe
568	WerFault.exe
568	WerFault.exe
5384	5589927.exe
5384	5589927.exe
5960	3032026.exe
5960	3032026.exe
1176	WerFault.exe
1176	WerFault.exe
5628	msedge.exe
5628	msedge.exe
2560	ultramediaburner.tmp
2560	ultramediaburner.tmp
5148	Chrome 5.exe
5148	Chrome 5.exe
3448	WerFault.exe
3448	WerFault.exe
5748	WerFault.exe
5748	WerFault.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe
5900	Dijaejefaena.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4040	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	Tue11f251db82fb7b.exe
Token: SeCreateTokenPrivilege	1552	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	1552	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	1552	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	1552	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	1552	Tue118f55232e4.exe
Token: SeTcbPrivilege	1552	Tue118f55232e4.exe
Token: SeSecurityPrivilege	1552	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	1552	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	1552	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	1552	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	1552	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	1552	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	1552	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	1552	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	1552	Tue118f55232e4.exe
Token: SeBackupPrivilege	1552	Tue118f55232e4.exe
Token: SeRestorePrivilege	1552	Tue118f55232e4.exe
Token: SeShutdownPrivilege	1552	Tue118f55232e4.exe
Token: SeDebugPrivilege	1552	Tue118f55232e4.exe
Token: SeAuditPrivilege	1552	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	1552	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	1552	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	1552	Tue118f55232e4.exe
Token: SeUndockPrivilege	1552	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	1552	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	1552	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	1552	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	1552	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	1552	Tue118f55232e4.exe
Token: 31	1552	Tue118f55232e4.exe
Token: 32	1552	Tue118f55232e4.exe
Token: 33	1552	Tue118f55232e4.exe
Token: 34	1552	Tue118f55232e4.exe
Token: 35	1552	Tue118f55232e4.exe
Token: SeDebugPrivilege	4836	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeRestorePrivilege	2916	WerFault.exe
Token: SeBackupPrivilege	2916	WerFault.exe
Token: SeBackupPrivilege	2916	WerFault.exe
Token: SeDebugPrivilege	5404	2.exe
Token: SeDebugPrivilege	5248	WerFault.exe
Token: SeDebugPrivilege	3896	msedge.exe
Token: SeDebugPrivilege	4264	BearVpn 3.exe
Token: SeDebugPrivilege	5960	3032026.exe
Token: SeDebugPrivilege	5384	5589927.exe
Token: SeDebugPrivilege	5628	msedge.exe
Token: SeDebugPrivilege	5136	GcleanerEU.exe
Token: SeIncreaseQuotaPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeSecurityPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeTakeOwnershipPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeLoadDriverPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeSystemProfilePrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeSystemtimePrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeProfSingleProcessPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeIncBasePriorityPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeCreatePagefilePrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeBackupPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeRestorePrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeShutdownPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeDebugPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeSystemEnvironmentPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeRemoteShutdownPrivilege	4744	Tue11e4e580f2e8141a3.exe
Token: SeUndockPrivilege	4744	Tue11e4e580f2e8141a3.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3328	setup_2.tmp
2560	ultramediaburner.tmp
3212	installer.exe
5340	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3668	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3640	4852	setup_x86_x64_install.exe	77
PID 4852 wrote to memory of 3640	4852	setup_x86_x64_install.exe	77
PID 4852 wrote to memory of 3640	4852	setup_x86_x64_install.exe	77
PID 3640 wrote to memory of 5016	3640	setup_installer.exe	79
PID 3640 wrote to memory of 5016	3640	setup_installer.exe	79
PID 3640 wrote to memory of 5016	3640	setup_installer.exe	79
PID 5016 wrote to memory of 5036	5016	setup_install.exe	84
PID 5016 wrote to memory of 5036	5016	setup_install.exe	84
PID 5016 wrote to memory of 5036	5016	setup_install.exe	84
PID 5016 wrote to memory of 4492	5016	setup_install.exe	85
PID 5016 wrote to memory of 4492	5016	setup_install.exe	85
PID 5016 wrote to memory of 4492	5016	setup_install.exe	85
PID 5016 wrote to memory of 5052	5016	setup_install.exe	86
PID 5016 wrote to memory of 5052	5016	setup_install.exe	86
PID 5016 wrote to memory of 5052	5016	setup_install.exe	86
PID 5016 wrote to memory of 3860	5016	setup_install.exe	98
PID 5016 wrote to memory of 3860	5016	setup_install.exe	98
PID 5016 wrote to memory of 3860	5016	setup_install.exe	98
PID 5016 wrote to memory of 2404	5016	setup_install.exe	87
PID 5016 wrote to memory of 2404	5016	setup_install.exe	87
PID 5016 wrote to memory of 2404	5016	setup_install.exe	87
PID 5016 wrote to memory of 4916	5016	setup_install.exe	88
PID 5016 wrote to memory of 4916	5016	setup_install.exe	88
PID 5016 wrote to memory of 4916	5016	setup_install.exe	88
PID 3860 wrote to memory of 3884	3860	cmd.exe	97
PID 3860 wrote to memory of 3884	3860	cmd.exe	97
PID 5016 wrote to memory of 2816	5016	setup_install.exe	89
PID 5016 wrote to memory of 2816	5016	setup_install.exe	89
PID 5016 wrote to memory of 2816	5016	setup_install.exe	89
PID 5016 wrote to memory of 4804	5016	setup_install.exe	90
PID 5016 wrote to memory of 4804	5016	setup_install.exe	90
PID 5016 wrote to memory of 4804	5016	setup_install.exe	90
PID 4492 wrote to memory of 4764	4492	cmd.exe	96
PID 4492 wrote to memory of 4764	4492	cmd.exe	96
PID 4492 wrote to memory of 4764	4492	cmd.exe	96
PID 5036 wrote to memory of 4744	5036	cmd.exe	91
PID 5036 wrote to memory of 4744	5036	cmd.exe	91
PID 5036 wrote to memory of 4744	5036	cmd.exe	91
PID 5016 wrote to memory of 884	5016	setup_install.exe	92
PID 5016 wrote to memory of 884	5016	setup_install.exe	92
PID 5016 wrote to memory of 884	5016	setup_install.exe	92
PID 5052 wrote to memory of 4984	5052	cmd.exe	93
PID 5052 wrote to memory of 4984	5052	cmd.exe	93
PID 5052 wrote to memory of 4984	5052	cmd.exe	93
PID 5016 wrote to memory of 4792	5016	setup_install.exe	94
PID 5016 wrote to memory of 4792	5016	setup_install.exe	94
PID 5016 wrote to memory of 4792	5016	setup_install.exe	94
PID 2404 wrote to memory of 3728	2404	cmd.exe	95
PID 2404 wrote to memory of 3728	2404	cmd.exe	95
PID 2404 wrote to memory of 3728	2404	cmd.exe	95
PID 4916 wrote to memory of 4640	4916	cmd.exe	100
PID 4916 wrote to memory of 4640	4916	cmd.exe	100
PID 4916 wrote to memory of 4640	4916	cmd.exe	100
PID 2816 wrote to memory of 724	2816	cmd.exe	99
PID 2816 wrote to memory of 724	2816	cmd.exe	99
PID 2816 wrote to memory of 724	2816	cmd.exe	99
PID 4984 wrote to memory of 1200	4984	Tue11b9d76a96506.exe	101
PID 4984 wrote to memory of 1200	4984	Tue11b9d76a96506.exe	101
PID 4984 wrote to memory of 1200	4984	Tue11b9d76a96506.exe	101
PID 4804 wrote to memory of 4836	4804	cmd.exe	102
PID 4804 wrote to memory of 4836	4804	cmd.exe	102
PID 884 wrote to memory of 1552	884	cmd.exe	103
PID 884 wrote to memory of 1552	884	cmd.exe	103
PID 884 wrote to memory of 1552	884	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS83E38583\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\is-7NR0D.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7NR0D.tmp\Tue11b9d76a96506.tmp" /SL5="$20156,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\is-2USNC.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2USNC.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        
        PID:5136
        
        C:\Program Files\MSBuild\DTJQVCDAZX\ultramediaburner.exe
        
        "C:\Program Files\MSBuild\DTJQVCDAZX\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\is-TDTKB.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TDTKB.tmp\ultramediaburner.tmp" /SL5="$20260,281924,62464,C:\Program Files\MSBuild\DTJQVCDAZX\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2560
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\6b-e4044-fbf-d2a98-89a2f75dcdeaa\Nolaenakaexy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6b-e4044-fbf-d2a98-89a2f75dcdeaa\Nolaenakaexy.exe"
        8⤵
        Executes dropped EXE
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Adds Run key to start application
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd5fd46f8,0x7fffd5fd4708,0x7fffd5fd4718
        10⤵
        
        PID:2144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
        10⤵
        
        PID:1044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        10⤵
        
        PID:1380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        10⤵
        
        PID:2612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
        10⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        10⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        10⤵
        
        PID:1392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
        10⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:3988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
        10⤵
        
        PID:5508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
        10⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5588 /prefetch:2
        10⤵
        
        PID:6676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
        10⤵
        
        PID:6740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
        10⤵
        
        PID:6524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
        10⤵
        
        PID:6164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
        10⤵
        
        PID:6884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 /prefetch:8
        10⤵
        
        PID:6228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
        10⤵
        
        PID:1696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        10⤵
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
        10⤵
        
        PID:3156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=4480 /prefetch:8
        10⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,8088830925652413851,13746344406144732299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
        10⤵
        
        PID:2016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd5fd46f8,0x7fffd5fd4708,0x7fffd5fd4718
        10⤵
        
        PID:5992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:4640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffd5fd46f8,0x7fffd5fd4708,0x7fffd5fd4718
        10⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\e1-aea6a-558-256ac-058b454797da9\Dijaejefaena.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e1-aea6a-558-256ac-058b454797da9\Dijaejefaena.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rusegva1.pbd\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\rusegva1.pbd\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\rusegva1.pbd\GcleanerEU.exe /eufive
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 284
        11⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1krxaug.yva\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\b1krxaug.yva\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1krxaug.yva\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:3212
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b1krxaug.yva\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b1krxaug.yva\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630777569 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        Enumerates connected drives
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3yipiik.el4\anyname.exe & exit
        9⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\a3yipiik.el4\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\a3yipiik.el4\anyname.exe
        10⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\a3yipiik.el4\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a3yipiik.el4\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3pjd3ddl.gd0\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\3pjd3ddl.gd0\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\3pjd3ddl.gd0\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 280
        11⤵
        Executes dropped EXE
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jpunpb0u.kro\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:3728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 292
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        
        PID:4640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 280
        6⤵
        Program crash
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2600
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4296
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5584
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5468
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5732
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3900
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1040
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5024
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6784
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6404
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6912
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2596
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1364
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6804
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6604
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6572
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6716
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7068
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6872
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5220
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6748
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4376
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6640
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 28
        7⤵
        Program crash
        
        PID:7100
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6348
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4724
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1U3se7
        7⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7fffd5fd46f8,0x7fffd5fd4708,0x7fffd5fd4718
        8⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4968
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7076
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4968
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6752
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7128
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3856
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6360
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6452
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6832
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6700 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:132
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6904
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2992
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7120
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6796
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6580
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6180
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6476
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1956
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3664
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7132
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7008
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:804
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6032
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6824
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4988
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6968
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6808
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:832
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5128
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3264
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4988
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3508
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5944
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2104
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3480
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5944
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3584
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6668
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7024
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7396
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7440
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7540
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7620
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7832
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7852
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7924
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7948
      - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
      - C:\ProgramData\8136770.exe
        
        "C:\ProgramData\8136770.exe"
        6⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3896 -s 2304
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
      - C:\ProgramData\8602585.exe
        
        "C:\ProgramData\8602585.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4040
      - C:\ProgramData\3555919.exe
        
        "C:\ProgramData\3555919.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5724
      - C:\ProgramData\3032026.exe
        
        "C:\ProgramData\3032026.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 2440
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 1916
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:5068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 284
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3860

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4864

C:\Users\Admin\AppData\Local\Temp\7zS83E38583\Tue11f251db82fb7b.exe
Tue11f251db82fb7b.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3884
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Executes dropped EXE
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:1904
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:5340
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:5024
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:1904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:5820
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:5400
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    PID:5248
  - - C:\Users\Admin\AppData\Roaming\5589927.exe
      "C:\Users\Admin\AppData\Roaming\5589927.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5384
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5384 -s 2300
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
  - - C:\Users\Admin\AppData\Roaming\2388351.exe
      "C:\Users\Admin\AppData\Roaming\2388351.exe"
      4⤵
      Executes dropped EXE
      PID:928
  - - C:\Users\Admin\AppData\Roaming\7719473.exe
      "C:\Users\Admin\AppData\Roaming\7719473.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5284
  - - C:\Users\Admin\AppData\Roaming\8618678.exe
      "C:\Users\Admin\AppData\Roaming\8618678.exe"
      4⤵
      PID:5628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 2472
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5748
- - C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
    "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
    3⤵
    - Executes dropped EXE
    PID:5316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 276
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3804
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5404 -s 1728
      4⤵
      Drops file in Windows directory
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\is-2E2GI.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2E2GI.tmp\setup_2.tmp" /SL5="$201B4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5916
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\is-LV7U0.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LV7U0.tmp\setup_2.tmp" /SL5="$20224,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3328
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    - Executes dropped EXE
    PID:5856
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      Executes dropped EXE
      PID:5268
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    - Executes dropped EXE
    PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3728 -ip 3728
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4640 -ip 4640
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5068 -ip 5068
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1556

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5556

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 5404 -ip 5404
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4780 -ip 4780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1552 -ip 1552
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5316 -ip 5316
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5580 -ip 5580
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1760

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:1872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 460
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1872 -ip 1872
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 3896 -ip 3896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4908

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 5384 -ip 5384
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5960 -ip 5960
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5628 -ip 5628
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5136 -ip 5136
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FA2D741862E5376211D3F418E132855D C
  2⤵
  - Loads dropped DLL
  PID:5424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4599CB358854723CF851A236A7AF56BF
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 11C152D6F01B6D8A7DE73332BB2589B1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:1444

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5056 -ip 5056
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6132 -ip 6132
1⤵
PID:3988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3160 -ip 3160
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5008 -ip 5008
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1672 -ip 1672
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6700 -ip 6700
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6952 -ip 6952
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3252 -ip 3252
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2916 -ip 2916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5844 -ip 5844
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3164 -ip 3164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1412 -ip 1412
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery