dcrat | f0198c0a0d120daa97da38b5c6d9c02084f643306729da7e5cf3fdfe436af05a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Alpha.exe
Size

17.7MB
MD5

000049c16395549f6ee5d8d462ea999d
SHA1

f008c8c3edae6e5b934f4d21576aab437a32214a
SHA256

f0198c0a0d120daa97da38b5c6d9c02084f643306729da7e5cf3fdfe436af05a
SHA512

4a215294593191155c7425a96474b5fc52a9818b6068e4db9e8438f4db66615be8f8e8f7e78915b915f997df19e7379154c646af8a880d90b9b5e6a59828c68c
SSDEEP

393216:GZo6fE7woeA8SdC0kn3e6pNKm0jZ08PAcfQWV8fZhYxh0MFww0OO:GuJh8L0qOFmoAtNfjqh0MqO

Score

10^/10

dcrat umbral infostealer rat stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002295c-6.dat	family_umbral
behavioral1/memory/4336-14-0x0000024A3CAF0000-0x0000024A3CB30000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0005000000022973-21.dat	dcrat
behavioral1/files/0x00080000000233fc-58.dat	dcrat
behavioral1/memory/888-60-0x00000000009E0000-0x0000000000BB2000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	oxotana4iterov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Alpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
4336	Umbral.exe
1756	oxotana4iterov.exe
3856	Umbral.exe
3828	oxotana4iterov.exe
2648	Umbral.exe
1500	oxotana4iterov.exe
888	UnZiper.exe
4668	Umbral.exe
2276	oxotana4iterov.exe
2732	UnZiper.exe
1392	Umbral.exe
760	oxotana4iterov.exe
4644	UnZiper.exe
2528	Umbral.exe
1452	oxotana4iterov.exe
2884	UnZiper.exe
1368	Umbral.exe
1828	oxotana4iterov.exe
4808	UnZiper.exe
4488	Umbral.exe
3024	oxotana4iterov.exe
4512	UnZiper.exe
1308	Umbral.exe
4860	oxotana4iterov.exe
2052	UnZiper.exe
2920	Umbral.exe
2248	oxotana4iterov.exe
3516	UnZiper.exe
4828	Umbral.exe
1820	oxotana4iterov.exe
2636	UnZiper.exe
4056	Umbral.exe
4936	oxotana4iterov.exe
1992	UnZiper.exe
2732	Umbral.exe
404	oxotana4iterov.exe
1388	UnZiper.exe
1700	Umbral.exe
1792	oxotana4iterov.exe
4996	UnZiper.exe
1372	Umbral.exe
2332	oxotana4iterov.exe
1896	UnZiper.exe
2540	Umbral.exe
3744	oxotana4iterov.exe
4148	Umbral.exe
2232	oxotana4iterov.exe
4652	UnZiper.exe
2888	Umbral.exe
3084	oxotana4iterov.exe
2416	Umbral.exe
2368	oxotana4iterov.exe
1968	UnZiper.exe
4860	Umbral.exe
5080	oxotana4iterov.exe
1424	UnZiper.exe
2580	Umbral.exe
3516	oxotana4iterov.exe
1564	UnZiper.exe
1308	Umbral.exe
820	oxotana4iterov.exe
3700	Umbral.exe
4832	UnZiper.exe
4720	oxotana4iterov.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	oxotana4iterov.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4172	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	Umbral.exe
Token: SeDebugPrivilege	888	UnZiper.exe
Token: SeDebugPrivilege	2732	UnZiper.exe
Token: SeDebugPrivilege	4644	UnZiper.exe
Token: SeDebugPrivilege	2884	UnZiper.exe
Token: SeDebugPrivilege	4808	UnZiper.exe
Token: SeDebugPrivilege	4172	taskmgr.exe
Token: SeSystemProfilePrivilege	4172	taskmgr.exe
Token: SeCreateGlobalPrivilege	4172	taskmgr.exe
Token: SeDebugPrivilege	4512	UnZiper.exe
Token: SeDebugPrivilege	2052	UnZiper.exe
Token: SeDebugPrivilege	3516	UnZiper.exe
Token: SeDebugPrivilege	2636	UnZiper.exe
Token: SeDebugPrivilege	1992	UnZiper.exe
Token: SeDebugPrivilege	1388	UnZiper.exe
Token: SeDebugPrivilege	4996	UnZiper.exe
Token: SeDebugPrivilege	1896	UnZiper.exe
Token: SeDebugPrivilege	4652	UnZiper.exe
Token: SeDebugPrivilege	1968	UnZiper.exe
Token: SeDebugPrivilege	1424	UnZiper.exe
Token: SeDebugPrivilege	1564	UnZiper.exe
Token: SeDebugPrivilege	4832	UnZiper.exe
Token: SeDebugPrivilege	4028	UnZiper.exe
Token: SeDebugPrivilege	3456	UnZiper.exe
Token: SeDebugPrivilege	4860	UnZiper.exe
Token: SeDebugPrivilege	4128	UnZiper.exe
Token: SeDebugPrivilege	4812	UnZiper.exe
Token: SeDebugPrivilege	3084	UnZiper.exe
Token: SeDebugPrivilege	4520	UnZiper.exe
Token: SeDebugPrivilege	2308	UnZiper.exe
Token: SeDebugPrivilege	392	UnZiper.exe
Token: SeDebugPrivilege	3456	UnZiper.exe
Token: SeDebugPrivilege	4860	UnZiper.exe
Token: SeDebugPrivilege	2712	UnZiper.exe
Token: SeDebugPrivilege	1604	UnZiper.exe
Token: SeDebugPrivilege	4844	UnZiper.exe
Token: SeDebugPrivilege	4448	UnZiper.exe
Token: SeDebugPrivilege	772	UnZiper.exe
Token: SeDebugPrivilege	3348	UnZiper.exe
Token: SeDebugPrivilege	4756	UnZiper.exe
Token: SeDebugPrivilege	2804	UnZiper.exe
Token: SeDebugPrivilege	4736	UnZiper.exe
Token: SeDebugPrivilege	2132	UnZiper.exe
Token: SeDebugPrivilege	3424	UnZiper.exe
Token: SeDebugPrivilege	2216	UnZiper.exe
Token: SeDebugPrivilege	3548	UnZiper.exe
Token: SeDebugPrivilege	1452	UnZiper.exe
Token: SeDebugPrivilege	3088	UnZiper.exe
Token: SeDebugPrivilege	2324	UnZiper.exe
Token: SeDebugPrivilege	3624	UnZiper.exe
Token: SeDebugPrivilege	1568	UnZiper.exe
Token: SeDebugPrivilege	552	UnZiper.exe
Token: SeDebugPrivilege	2120	UnZiper.exe
Token: SeDebugPrivilege	4100	UnZiper.exe
Token: SeDebugPrivilege	4764	UnZiper.exe
Token: SeDebugPrivilege	2344	UnZiper.exe
Token: SeDebugPrivilege	3384	UnZiper.exe
Token: SeDebugPrivilege	3024	UnZiper.exe
Token: SeDebugPrivilege	4036	UnZiper.exe
Token: SeDebugPrivilege	1076	UnZiper.exe
Token: SeDebugPrivilege	4212	UnZiper.exe
Token: SeDebugPrivilege	1100	UnZiper.exe
Token: SeDebugPrivilege	232	UnZiper.exe
Token: SeDebugPrivilege	5072	UnZiper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe
4172	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4312	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4336	2964	Alpha.exe	85
PID 2964 wrote to memory of 4336	2964	Alpha.exe	85
PID 2964 wrote to memory of 3580	2964	Alpha.exe	86
PID 2964 wrote to memory of 3580	2964	Alpha.exe	86
PID 2964 wrote to memory of 1756	2964	Alpha.exe	87
PID 2964 wrote to memory of 1756	2964	Alpha.exe	87
PID 2964 wrote to memory of 1756	2964	Alpha.exe	87
PID 1756 wrote to memory of 4416	1756	oxotana4iterov.exe	88
PID 1756 wrote to memory of 4416	1756	oxotana4iterov.exe	88
PID 1756 wrote to memory of 4416	1756	oxotana4iterov.exe	88
PID 3580 wrote to memory of 3856	3580	Alpha.exe	89
PID 3580 wrote to memory of 3856	3580	Alpha.exe	89
PID 3580 wrote to memory of 4720	3580	Alpha.exe	90
PID 3580 wrote to memory of 4720	3580	Alpha.exe	90
PID 3580 wrote to memory of 3828	3580	Alpha.exe	91
PID 3580 wrote to memory of 3828	3580	Alpha.exe	91
PID 3580 wrote to memory of 3828	3580	Alpha.exe	91
PID 3828 wrote to memory of 2388	3828	oxotana4iterov.exe	92
PID 3828 wrote to memory of 2388	3828	oxotana4iterov.exe	92
PID 3828 wrote to memory of 2388	3828	oxotana4iterov.exe	92
PID 4720 wrote to memory of 2648	4720	Alpha.exe	93
PID 4720 wrote to memory of 2648	4720	Alpha.exe	93
PID 4720 wrote to memory of 1272	4720	Alpha.exe	94
PID 4720 wrote to memory of 1272	4720	Alpha.exe	94
PID 4720 wrote to memory of 1500	4720	Alpha.exe	95
PID 4720 wrote to memory of 1500	4720	Alpha.exe	95
PID 4720 wrote to memory of 1500	4720	Alpha.exe	95
PID 1500 wrote to memory of 3660	1500	oxotana4iterov.exe	96
PID 1500 wrote to memory of 3660	1500	oxotana4iterov.exe	96
PID 1500 wrote to memory of 3660	1500	oxotana4iterov.exe	96
PID 4416 wrote to memory of 4156	4416	WScript.exe	97
PID 4416 wrote to memory of 4156	4416	WScript.exe	97
PID 4416 wrote to memory of 4156	4416	WScript.exe	97
PID 4156 wrote to memory of 888	4156	cmd.exe	99
PID 4156 wrote to memory of 888	4156	cmd.exe	99
PID 1272 wrote to memory of 4668	1272	Alpha.exe	101
PID 1272 wrote to memory of 4668	1272	Alpha.exe	101
PID 1272 wrote to memory of 1924	1272	Alpha.exe	102
PID 1272 wrote to memory of 1924	1272	Alpha.exe	102
PID 1272 wrote to memory of 2276	1272	Alpha.exe	103
PID 1272 wrote to memory of 2276	1272	Alpha.exe	103
PID 1272 wrote to memory of 2276	1272	Alpha.exe	103
PID 2276 wrote to memory of 4480	2276	oxotana4iterov.exe	104
PID 2276 wrote to memory of 4480	2276	oxotana4iterov.exe	104
PID 2276 wrote to memory of 4480	2276	oxotana4iterov.exe	104
PID 2388 wrote to memory of 736	2388	WScript.exe	105
PID 2388 wrote to memory of 736	2388	WScript.exe	105
PID 2388 wrote to memory of 736	2388	WScript.exe	105
PID 736 wrote to memory of 2732	736	cmd.exe	107
PID 736 wrote to memory of 2732	736	cmd.exe	107
PID 1924 wrote to memory of 1392	1924	Alpha.exe	108
PID 1924 wrote to memory of 1392	1924	Alpha.exe	108
PID 1924 wrote to memory of 3516	1924	Alpha.exe	109
PID 1924 wrote to memory of 3516	1924	Alpha.exe	109
PID 1924 wrote to memory of 760	1924	Alpha.exe	110
PID 1924 wrote to memory of 760	1924	Alpha.exe	110
PID 1924 wrote to memory of 760	1924	Alpha.exe	110
PID 760 wrote to memory of 3860	760	oxotana4iterov.exe	111
PID 760 wrote to memory of 3860	760	oxotana4iterov.exe	111
PID 760 wrote to memory of 3860	760	oxotana4iterov.exe	111
PID 3660 wrote to memory of 3236	3660	WScript.exe	112
PID 3660 wrote to memory of 3236	3660	WScript.exe	112
PID 3660 wrote to memory of 3236	3660	WScript.exe	112
PID 3236 wrote to memory of 4644	3236	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Alpha.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\Alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:3856
- - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
      "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:1392
      - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        6⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        7⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        8⤵
        Checks computer location settings
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        9⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        10⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        11⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        12⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        13⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        14⤵
        Checks computer location settings
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        15⤵
        Checks computer location settings
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        16⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        17⤵
        Checks computer location settings
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        18⤵
        Checks computer location settings
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        19⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        20⤵
        Checks computer location settings
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        21⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        22⤵
        Checks computer location settings
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        23⤵
        Checks computer location settings
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        24⤵
        Checks computer location settings
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        25⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        26⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        26⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        27⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        28⤵
        
        PID:4472
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        25⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        26⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        27⤵
        
        PID:4148
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        24⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        25⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        26⤵
        
        PID:3392
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        23⤵
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        24⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        25⤵
        
        PID:3980
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        22⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        23⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        24⤵
        
        PID:924
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        21⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        22⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        23⤵
        
        PID:3336
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        21⤵
        Checks computer location settings
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        22⤵
        
        PID:4016
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        20⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        21⤵
        
        PID:3828
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        19⤵
        Checks computer location settings
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        20⤵
        
        PID:552
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        18⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        19⤵
        
        PID:4408
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        17⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        18⤵
        
        PID:1736
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        16⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        17⤵
        
        PID:1988
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        15⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        16⤵
        
        PID:4800
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        15⤵
        
        PID:4320
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        13⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        14⤵
        
        PID:1916
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        12⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        13⤵
        
        PID:3688
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        11⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        12⤵
        
        PID:1216
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        9⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        10⤵
        Checks computer location settings
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        11⤵
        
        PID:672
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        9⤵
        Checks computer location settings
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        10⤵
        
        PID:816
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        9⤵
        
        PID:1424
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        7⤵
        Checks computer location settings
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        8⤵
        
        PID:4636
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        6⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        7⤵
        
        PID:4828
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
      "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
- - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
    "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:736
      - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
- C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
  "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:888

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\Alpha.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
1⤵
PID:3704
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
  2⤵
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
    3⤵
    PID:1660
- - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
    "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:3084
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
      4⤵
      PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        5⤵
        
        PID:2940
      - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
- C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
  "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
      4⤵
      PID:3316
    - - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424

C:\Users\Admin\AppData\Local\Temp\Alpha.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\Alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
  2⤵
  - Checks computer location settings
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
    3⤵
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      PID:768
  - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
      "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
      4⤵
      PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        
        PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        5⤵
        Checks computer location settings
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        6⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        7⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        8⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        9⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        10⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        11⤵
        Checks computer location settings
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        12⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        13⤵
        Checks computer location settings
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        14⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        15⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        16⤵
        Checks computer location settings
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        17⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        18⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        19⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        20⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        21⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        22⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        23⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        24⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        25⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        26⤵
        Checks computer location settings
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        27⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        28⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        29⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        30⤵
        Checks computer location settings
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        31⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        32⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        33⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        34⤵
        Checks computer location settings
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        35⤵
        Checks computer location settings
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        36⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        37⤵
        Checks computer location settings
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        38⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        39⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        40⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        41⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        42⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        42⤵
        Checks computer location settings
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        43⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        41⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        42⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        40⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        41⤵
        Checks computer location settings
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        42⤵
        
        PID:2704
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        43⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        40⤵
        Checks computer location settings
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        41⤵
        
        PID:1852
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        42⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        38⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        39⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        40⤵
        
        PID:3216
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        41⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        37⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        38⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        39⤵
        
        PID:5064
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        40⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        36⤵
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        37⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        38⤵
        
        PID:1820
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        39⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        35⤵
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        36⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        37⤵
        
        PID:3384
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        34⤵
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        35⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        36⤵
        
        PID:1224
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        33⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        34⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        35⤵
        
        PID:4764
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        32⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        33⤵
        Checks computer location settings
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        34⤵
        
        PID:4388
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        31⤵
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        32⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        33⤵
        
        PID:364
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        30⤵
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        31⤵
        Checks computer location settings
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        32⤵
        
        PID:2152
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        29⤵
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        30⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        31⤵
        
        PID:900
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        28⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        29⤵
        Checks computer location settings
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        30⤵
        
        PID:3416
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        28⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        29⤵
        
        PID:1348
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        26⤵
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        27⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        28⤵
        
        PID:4704
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        25⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        26⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        27⤵
        
        PID:4924
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        28⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        24⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        25⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        26⤵
        
        PID:1076
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        23⤵
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        24⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        25⤵
        
        PID:2712
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        22⤵
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        23⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        24⤵
        
        PID:3316
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        22⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        23⤵
        
        PID:2544
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        20⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        21⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        22⤵
        
        PID:1348
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        19⤵
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        20⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        21⤵
        
        PID:4568
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        18⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        19⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        20⤵
        
        PID:4924
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        17⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        18⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        19⤵
        
        PID:1988
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        16⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        17⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        18⤵
        
        PID:916
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        15⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        16⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        17⤵
        
        PID:2560
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        14⤵
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        15⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        16⤵
        
        PID:3016
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        13⤵
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        14⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        15⤵
        
        PID:3288
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        12⤵
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        13⤵
        Checks computer location settings
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        14⤵
        
        PID:4764
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        12⤵
        Checks computer location settings
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        13⤵
        
        PID:2444
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        10⤵
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        12⤵
        
        PID:1280
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        11⤵
        
        PID:888
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        8⤵
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        9⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        10⤵
        
        PID:3016
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        7⤵
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        8⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        9⤵
        
        PID:4868
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        6⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        7⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        8⤵
        
        PID:3104
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        5⤵
        Modifies registry class
        
        PID:920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        6⤵
        Checks computer location settings
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        7⤵
        
        PID:2152
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
      "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
      4⤵
      Checks computer location settings
      PID:620
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        6⤵
        
        PID:3424
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
- - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
    "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
      4⤵
      Checks computer location settings
      PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        5⤵
        
        PID:2712
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:768
      - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
- C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
  "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  PID:5080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
      4⤵
      PID:3516
    - - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Alpha.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnZiper.exe.log

Filesize
1KB

MD5
5cb90c90e96a3b36461ed44d339d02e5

SHA1
5508281a22cca7757bc4fbdb0a8e885c9f596a04

SHA256
34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

SHA512
63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
5b57c2fc989cac662bfb47a701607c41

SHA1
8f079e17ac8ff6de547da26b1f4673220551d039

SHA256
9ec87e65f1973fe732713bfdccdab7a5e3b8e4ef99f87e05fe20a692d4af0bdd

SHA512
d83bc196a38f6858aae02a69e4436e3109723b9e2323085c0cbee418e5e7e966500fc97ec8e56b37f7a3a2574db2c41992f16ef55afecc5559a655b1e6fe9a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe

Filesize
2.1MB

MD5
3c9a4df5825cffb82efd28341210cb5e

SHA1
fb5c0017c470dfa2c068830c88e5aaf01fcf28c4

SHA256
9bc59f729ffb4de1824b287b63044ec1f9a5b6d28e19ce4640f848fbd8738869

SHA512
45b7af20b970c6546ff542a828918a0737003b2f8cdde38d7e95736e5b22ce89bd0535ffd46c634a02e8763415a36f75e037065e999a20d3d175df8f7c848d3b

Download Submit
C:\WinRAR\UnZiper.exe

Filesize
1.8MB

MD5
a6d40fd838bb5e01cf15ecd8865b3716

SHA1
d3ac362700cbc6c4732a68df61089acb69029348

SHA256
5c50417c2c36617ee7e888a1a4dc02977fddcca617d84c2e5dbd1f172fd32870

SHA512
3d3b9734a8a78104742af23261c2caabb309ff3f7d237946182f7a07b8f5275a289191da6d19f0883ef7c499f098887e23b3dd06c0ccbeada8e1f721a7e65a59

Download Submit
C:\WinRAR\gn4kMFDzyxtNMy.vbe

Filesize
192B

MD5
3d8415c7e490301c4e6cad33a74cfe18

SHA1
703c9beb239ec68622a7691e3c4c1d3346cc12bd

SHA256
d6058a9013556315506dd79d4fa4339b80b40cd0e6c3a781adabfbfad3548c2e

SHA512
946c6ea4cb62829e964c0ef7601d6ec753e5d7c63d1c000a761c8e60fbff54882072640e86dc8faa905c9e684b04da067480430e90b59b6654f93b7c17367070

Download Submit
C:\WinRAR\t57a9grPX.bat

Filesize
23B

MD5
cbad1e030a37190ced948f45d7582691

SHA1
b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5

SHA256
8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571

SHA512
ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92

Download Submit
memory/888-60-0x00000000009E0000-0x0000000000BB2000-memory.dmp

Filesize
1.8MB

Download
memory/888-61-0x0000000001420000-0x000000000142E000-memory.dmp

Filesize
56KB

Download
memory/2964-0-0x00007FFCFF603000-0x00007FFCFF605000-memory.dmp

Filesize
8KB

Download
memory/2964-25-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download
memory/2964-1-0x0000000000710000-0x00000000018D0000-memory.dmp

Filesize
17.8MB

Download
memory/2964-10-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-106-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-115-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-110-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-104-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-105-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-111-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-116-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-112-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-114-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4172-113-0x000001B809C10000-0x000001B809C11000-memory.dmp

Filesize
4KB

Download
memory/4336-14-0x0000024A3CAF0000-0x0000024A3CB30000-memory.dmp

Filesize
256KB

Download
memory/4336-16-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-15-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-147-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-158-0x00007FFCFF600000-0x00007FFD000C1000-memory.dmp

Filesize
10.8MB

Download